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Abstract: Ontic is an interactive system for developing and verifying math- 
ematics. Ontic's verification mechanism is capable of automatically finding 
and applying information from a library containing hundreds of mathemati- 
cal facts. Starting with only the axioms of Zermelo-Fraenkel set theory, the 
Ontic system has been used to build a data base of definitions and lemmas 
leading to a proof of the Stone representation theorem for Boolean lattices. 
The Ontic system has been used to explore issues in knowledge representa- 
tion, automated deduction, and the automatic use of large data bases. 
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Chapter 1 



Ontic in Brief 



Ontic is a computer system for verifying mathematical arguments. Starting 
with the axioms of Zermelo-Fraenkel set theory, including Zorn's lemma as 
a version of the axiom of choice, the Ontic system has been used to to define 
concepts involving partial orders and lattices and to verify a proof of the 
Stone representation theorem for Boolean lattices. This theorem involves an 
ultrafilter construction and is similar in complexity to the Tychonoff theorem 
in topology which states that an arbitrary product of compact spaces is 
compact. The individual steps in the proof were verified with an automated 
theorem prover. The Ontic theorem prover automatically accesses a lemma 
library containing hundreds of mathematical facts; as more facts are added 
to the system's lemma library the system becomes capable of verifying larger 
inference steps. 

The Ontic theorem prover is based on what I call object-oriented in- 
ference. Object-oriented inference is a forward chaining inference process 
applied to a large lemma library and guided by a set of focus objects. The 
focus objects are terms in the sense of first order predicate calculus; they 
are expressions which denote objects. It is well known that unrestricted for- 
ward chaining starting with a large lemma library leads to an immediate 
combinatorial explosion. However, the Ontic theorem prover is guided by 
the focus objects; the inference process is restricted to statements that are, 
in a technical sense, about the focus objects. Thus the inference process 
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is "object-oriented". In verifying an argument the user specifies the set of 
focus objects. For example the user may tell the system to consider an ar- 
bitrary lattice L, an arbitrary subset S of L, and an arbitrary member x 
of S. Ontic's inference mechanisms are restricted to a finite set of formulas 
that are about the given focus objects. Certain forward chaining constraint 
propagation techniques can be effectively applied to this finite set of formu- 
las. Natural language mathematical arguments, like those found in textbooks 
and journals, appear to be object-oriented in the sense that they instruct the 
reader to focus on certain objects. Thus Ontic's object-oriented inference 
mechanisms seem well suited for verifying natural arguments. 

There are two motivations for building a system for verifying natural 
arguments. First there is an engineering motive: a sufficiently powerful me- 
chanical verifier could have a variety of important practical applications, 
such as ensuring the correctness of mathematical arguments, the correctness 
of software systems, and the correctness of engineered devices in general. Sec- 
ond, the construction of a verification system for natural arguments can be 
motivated in terms of cognitive psychology. A verification system for natural 
arguments provides a computational model of the human cognitive processes 
involved in verifying arguments. The plausibility of such a cognitive model 
can be judged by comparing the length and structure of the arguments ac- 
ceptable to people with the length and structure of arguments acceptable to 
the cognitive model. 

The engineering motive and the cognitive model motive for building ver- 
ification systems are not independent; a verification system that is a good 
cognitive model is likely to be pragmatically useful. More specifically, a 
verification system is a good cognitive model to the extent that arguments 
acceptable to the model are similar to the arguments acceptable to people. 
Thus if a verification system is a good cognitive model then it should be easy 
to convert arguments that are acceptable to people to arguments that can 
be verified by the system; a system that is a good cognitive model provides 
a good "impedance match" between the human user and the verification 
system. 

On the other hand the two motivations for verifications system, the en- 
gineering motive and the cognitive model motive, are different motivations 
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with different criteria for success. A verification system that exhibits clearly 
superhuman performance in its ability to verify statements is a bad cogni- 
tive model but a good verifier from an engineering point of view. It turns 
out that Ontic's mechanism for reasoning about equality, congruence closure, 
leads to some clear examples of superhuman performance on the part of the 
Ontic system. Thus congruence closure is not a good cognitive model for the 
way people reason about equality — there are equality reasoning mechanisms 
which are weaker than congruence closure which provide better cognitive 
models. However, from an engineering point of view congruence closure is 
better than the weaker mechanism (at least on serial machines). The anal- 
ysis of congruence closure as a bad cognitive model is presented in detail in 
chapter 3. 

The Ontic system was designed with both motivations in mind — an at- 
tempt was made to make the system a pragmatically effective verification 
system and the same time to make the system a rough model of human math- 
ematical cognition. The Ontic system should be judged on two independent 
grounds relative to these two goals. First, one can evaluate the system as 
an engineered device for verifying proofs by attempting to use the system 
for that purpose. Second, one can attempt to evaluate the system as a cog- 
nitive model by judging the similarity between natural language arguments 
acceptable to people and formal arguments acceptable to the system. 

The remainder of this chapter is divided into four sections. The first 
section briefly discusses the nature of natural language mathematical argu- 
ments. The second section of the chapter discusses the formal language used 
in the Ontic system. The third section describes the user-level interface to the 
system and gives several examples of arguments verified by the system. The 
fourth section describes the object-oriented inference mechanisms in more 
detail. 

The relationship between Ontic and previous work in reasoning, knowl- 
edge representation, and theorem proving is discussed in detail in chapter 2. 
Chapter 3 presents an analysis of the Ontic system as a cognitive model giv- 
ing examples of both superhuman and subhuman performance on the part of 
the Ontic system. Chapters 4 and 5 give a mathematically precise account of 
the inference mechanisms as marker propagation algorithms on certain kinds 
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of graph structure. Chapter 6 gives a mathematically precise definition of the 
Ontic formal language and chapter 7 gives a mathematically precise account 
of the compilation process by which expressions in the formal language are 
converted into graph structure. Chapter 8 lists some potential applications 
of automated inference systems such as Ontic and chapter 9 summarizes the 
main features of the Ontic system. 



1.1 The Nature of Natural Arguments 



By a "natural mathematical argument" I mean a proof written in a natural 
language, such as English, that would be acceptable as a fully worked out 
proof in a textbook or journal article. A natural mathematical argument 
consists of a sequence of natural language statements and the human reader 
is expected to use his or her knowledge and intelligence to see that each step 
clearly and necessarily follows from the previous steps. As an example of a 
natural argument consider the following proof that the square root of 2 is 
irrational. 



Suppose that the square root of two were rational, i.e. 

P 2 
q> 

The squares p 2 and q 2 must each have an even number of prime 
factors. Thus, if p 2 /q 2 is an integer then this integer must also 
have an even number of prime factors. But 2 has only a single 
prime factor so p 2 /q 2 cannot equal 2. 



This argument is perfectly rigorous; every step clearly follows from the 
previous steps and the conclusion is clearly established; \/2 must be irra- 
tional. However, understanding this argument requires knowing certain facts 
about arithmetic and multisets. More specifically the above argument im- 
plicitly rests on the following facts: 
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1. The fundamental theorem of arithmetic — every natural number has 
a unique multiset of prime factors. 

2. The multiset of factors of p 2 is the multiset union of the prime factors 
of p with itself. 

3. The multiset union of a multiset with itself has an even number of 
members (an even multiset cardinality). 

4. If p/q is an integer then the multiset of prime factors of q must be a 
subset of the multiset of prime factors of p. 

5. If p/q is an integer then the multiset of prime factors of p/q is the 
multiset difference of the prime factors of p and the prime factors of q. 

6. If the multisets mi and mi both have an even number of members and 
/*""N mi is a subset of m x then the multiset difference of mi and m,2 has an 

even number of members. 



The fundamental theorem of arithmetic is a deep theorem involving sev- 
eral induction proofs. It seems quite likely that people have simply memo- 
rized this fact and use it freely. The other facts in the above list have simpler 
proofs (given the fundamental theorem of arithmetic). However, an explicit 
proof of any one of the above facts would be at least as long as the above 
proof that the square root of 2 is irrational. Furthermore, each of the above 
facts seems to be generally useful and thus it seems likely, or at least plau- 
sible, that people have memorized each of the above facts in addition to the 
fundamental theorem of arithmetic. People seem capable of using facts, such 
as the fundamental theorem, unconsciously; when reading the above natural 
argument one is not consciously aware of using the fundamental theorem of 
arithmetic. The above example suggests that people verify mathematical ar- 
guments by using knowledge they already have about the concepts involved 
and by applying that knowledge unconsciously in verifying the steps of the 
argument. 
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6 CHAPTER 1. ONTIC IN BRIEF 

1.2 Ontic as a Formal Language 

The Ontic system cannot read natural language — before an argument can 
be verified it must be translated into a machine readable form. The Ontic 
system manipulates formulas in the formal language called Ontic. The Ontic 
language is a syntactic sugar for first order set theory. The design of this 
syntactic sugar was driven by two motivations. First, the language is designed 
to be as similar as possible to natural language while still being simple and 
mathematically precise. Most atomic formulas in the Ontic language consists 
of a subject "noun phrase" and a predicate "verb phrase". In addition to 
being similar to natural language, the syntactic structure of the Ontic formal 
language facilitates the object-oriented inference mechanisms used in the 
system. Object-oriented inference is guided by a set of focus objects. The 
inference mechanisms "type" the focus objects — the system assigns a set of 
types to each focus object. In the Ontic system a type is any predicate of one 
argument; the types assigned to a focus object are predicates that are known 
to be true of that object. The syntax of the Ontic language is designed to 
facilitate this typing process; most atomic formulas state that a particular 
type applies to a particular object. 

In the Ontic language there is no distinction between types, classes, sorts, 
and predicates of one argument. For an object x and type r the phrases "t 
contains a?", "x is an instance of r" and "r is true of x" all mean the same 
thing. The word type is used, as opposed to the word class or predicate, 
because Ontic types are used in much the same way that types are used 
in computer programming languages; functions in the formal language can 
only be applied to arguments of the appropriate type and thus there is a 
distinction between "well-typed" and "ill-formed" expressions. For example, 
consider a function TOPOLOGICAL-CLOSURE such that if X is a topological 
space and A is a subset of X then 

(TOPOLOGICAL-CLOSURE A X) 

denotes the topological closure of A as a subset of X. An application of the 
operator TOPOLOGICAL-CLOSURE is well typed just in case its second argument 
denotes a topological space and its first argument denotes a subset of that 
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1.2. ONTIC AS A FORMAL LANGUAGE 7 

space. The above expression is well typed but the expression 

(TOPOLOGICAL-CLOSURE X A) 

that results from reversing the arguments is not well typed because A is not 
a topological space and X need not be a subset of A. 

Rather than give a rigorous syntax and semantics for the Ontic language, 
this section discusses the language informally and largely by example. A more 
rigorous treatment is presented in chapter 6. Every expression of the Ontic 
language belongs to exactly one of five syntactic categories; an expression 
is either a term, a formula, a function expression, a type expression, or a 
type generator expression. Terms are expressions that denote objects. 1 A 
formula is an expression which denotes one of the Boolean truth values true 
or false. 2 A function expression denotes a mapping from objects to objects. 
Each function expression takes a fixed number of arguments and returns an 
object. 3 Type expressions are predicates of one argument. 4 A type generator 
expression denotes a mapping from objects to types. Each type generator 
expression takes a fixed number of arguments and returns a type. 5 



1.2.1 Types 

Figure 1.1 lists some type expressions. The first five type expressions in figure 
1.1 are type symbols. The types THING and SET are primitive type symbols 
in the Ontic system. The Ontic system allows for the possibility that there 
are instances of the universal type THING, such as symbols, which are not in- 
stances of the type SET. Each of the types GROUP, TOPDLOGICAL-SPACE, and 
RIEMANNIAN-MANIFOLD can be defined in terms of more primitive concepts. 



: A term is an expression of kind OBJECT. It is consistent with axioms of the logic to 
assume that all objects are actually sets in a standard model of ZFC set theory. However, 
it is more natural, and equally consistent, to assume that there exist objects which are 
not sets. 

2 A formula is an expression of kind BOOLEAN. 

3 FunctiOn expressions have kind OBJECT x OBJECT x • • • x OBJECT — + OBJECT. 

4 Type expressions have kind OBJECT — *■ BOOLEAN. 

5 Type generator expressions have kind OBJECT x OBJECT x • • ■ x OBJECT -+ TYPE. 



r^ 



/"■% 



/^""N 



8 CHAPTER 1. ONTIC IN BRIEF 

THING, SET, GROUP, TOPOLOGICAL-SPACE, RIEMANNIAN-MANIFOLD 

(MEMBER-OF s) , (LOWER-BOUND-OF s p) 

(LAMBDA (U r)) $(») 

(EITHER x y) 

(AMD-TYPE Ti r 2 ) 

(OR-TYPE n r 2 ) 

Figure 1.1: Ontic Type Expressions 

The next two type expressions are types that result from applying type gen- 
erators to arguments. If a term s denotes a set then (MEMBER-OF s) is a type 
expression such that an object is an instance of the type (MEMBER-OF s) just 
in case it is a member of the set s. 6 Instances of the type 

(LOWER-BOUND-OF 5 p) 

are members of the partially ordered set p which are lower bounds of the 
subset s of p. One place lambda predicates are also type expressions. The 
instances of the type 

(LAMBDA ((x r)) $(x)) 

consist of exactly those instances x of the type r which satisfy the formula 
$(x). The type (EITHER X Y) contains only the instances X and Y. The type 
(AND-TYPE Ti r 2 ) contains exactly those objects which are instances of both 
the types n and r 2 . The type (OR-TYPE n r 2 ) contains exactly those things 
which are instances of either of the types t x or r 2 . 



1.2.2 Terms 

Figure 1.2 gives some Ontic terms. There are several ways of constructing 
terms in Ontic. The application of a function to arguments is a term. If r 

6 The term s denotes an object while the expression (MEMBER-OF s) denotes a type; no 
expression is allowed to be both a term and a type. 



/"■"N 



1.2. ONTIC AS A FORMAL LANGUAGE 9 

( fun x\ X2 • • • ) 
(THE-SET-OF-ALL r) 
(THE-RULE fun) 
(THE r) 
' symbol 

Figure 1.2: Ontic Terms 

is a "small" type expression then the expression (THE-SET-OF-ALL r) is a 
term which denotes the set of all instances of r. The process of converting a 
type to a set is called reification and sets of the form 

(THE-SET-OF-ALL r) 

^»«^ are often called reified types. It is important to remember that there is a 

syntactic distinction between terms (which denote objects) and type expres- 
sions (which denote predicates). There are types, such as the type THING, 
which can not be converted to sets — there is no set of all things. Most of the 
axioms of Zermelo-Fraenkel set theory state that certain sets exist. One can 
view these axioms as saying that certain types can be converted to sets. In 
the Ontic system these axioms of set theory are incorporated into the notion 
of a syntactically small type expression; the operator THE-SET-OF-ALL can 
only be applied to syntactically small type expressions. The notion of a syn- 
tactically small type expression, and the relation between this notion and the 
axioms of set theory, are discussed in more detail in chapter 6, section 6.1. 

If fun is a function of one argument then the term (THE-RULE fun) de- 
notes the "rule" that corresponds to the function. The relationship between 
functions and rules is analogous to the relationship between types and sets— 
the expression (THE-RULE fun) is a term and denotes an object while fun 
is a function expression. Expressions of the form (THE-RULE fun) are often 
referred to as reified functions. There exist functions which can not be reified 
as rules, e.g any function defined on all sets, such as the function that maps 
an arbitrary set to its power set, is too big to be reified as a rule. 
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10 CHAPTER 1. ONTIC IN BRIEF 

If r is a type with exactly one instance then the expression (THE r) is a 
term which denotes the single object contained in the type. For example, if 

(PRIME-NUMBER-BETWEEN n m) 

is a type whose instances are the prime numbers between n and m then 

(THE (PRIME-NUMBER-BETWEEN 20 25)) 

denotes the number 23. 

Expressions of the form ' symbol are also terms. For example the expres- 
sion 'F00 denotes the symbol F00. Quoted symbols denote objects which are 
instances of the type SYMBOL. The Ontic system allows for the possibility 
that all objects are sets, i.e. that every object is an element of a model of 
Zermelo-Fraenkel set theory. However, the Ontic system also allows for a 
more natural interpretation under which rules and symbols are not sets — the 
types SET, RULE, and SYMBOL can be assumed to be disjoint. 

1.2.3 Formulas 

Figure 1.3 gives some Ontic formulas. The formula (IS x r) is true just in 
case x denotes an instance of the type r. Formulas of this form are intuitively 
pleasing because they seem to reflect natural language syntax — x is a subject 
"noun phrase" and the type r is a predicate that applies to the subject. The 
formula (EXISTS-SOME r) is true just in case there exists an instance of r. 
The formula 

(EXISTS (On 7i) (x 2 r 2 ) ...) $(o:i, x 2 , . . .)) 

is true just in case there exists instances ci, a 2 ■ ■ . a n of the types rj, r 2 , . . . Tz 
respectively such that such that $ is true when the variables x\, x 2 , . . . x n are 
interpreted as a%, a 2 ■ ■ ■ a n respectively. The formula 

(FORALL ((xi ri) (x 2 r 2 ) . . .) $(x u x 2 , . . .)) 

has the obvious analogous meaning. The formula (EXACTLY- ONE r) is true 
just in case there is exactly one instance of the type r. The formula 

(IS-EVERY n r 2 ) 
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(IS x r) 

(EXISTS-SOME r) 

(EXISTS ((xj tx) (x 2 r 2 ) . . .) $(xi, x 2 , . . .)) 

(FORALL ((xi n) (x 2 t 2 ) ...) $(a:i, a? 2 , ...)) 

(EXACTLY- ONE r) 

(IS-EVERY rj r 2 ) 

(MOT $) 

(AND $1 $ 2 ) 



Figure 1.3: Ontic Formulas 

is true just in case every instance of T\ is an instance of r 2 . Of course Boolean 
combinations of formulas are also formulas. 



1.2.4 Definitions 

Figure 1.4 gives some examples of definitions of functions and type gener- 
ators. Functions are defined with the DEFTERM construct as shown in the 
first example. In the first example the function POWER-SET is defined to be 
equivalent to the lambda function 

(LAMBDA ((S SET)) (THE-SET-OF-ALL (SUBSET-OF S))) 

Thus the function POWER-SET takes one argument which must be a set and 
returns the set of all subsets of that set. Types and type generators are 
defined with the DEFTYPE construct. The second definition in figure 1.4 de- 
fines LOWER-BOUND-OF to be a type generator which takes two arguments: a 
set s and a poset p where the set s is required to be a subset of the set of 
elements of p. The type generator LOWER-BOUND-OF takes these arguments 
and returns a type: a predicate of one argument. An object x is an element 
of the type (LOWER-BOUND-OF s p) just in case x is an element of the un- 
derlying set of the poset p and every member of the set s is greater than or 
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(DEFTERM (POWER-SET (S SET)) 

(THE-SET-OF-ALL (SUBSET-OF S))) 

(DEFTYPE (LOWER-BOUND-OF 

(S (SUBSET-OF (U-SET P))) 
(P POSET)) 
(LAMBDA ((X (MEMBER-OF (U-SET P)))) 
(IS-EVERY (MEMBER-OF S) 

(GREATER-OR-EQUAL-TO X P)))) 

/^ (DEFTYPE (GREATEST-LOWER-BOUND-OF 

(S (SUBSET-OF (U-SET P))) 
(P POSET)) 
(LAMBDA ((X (LOWER-BOUND-OF S P))) 
(IS-EVERY (LOWER-BOUND-OF S P) 

(LESS-OR-EQUAL-TO X P)))) 

(DEFTYPE COMPLETE-LATTICE 
(LAMBDA ((P POSET)) 

(FORALL ((S (SUBSET-OF (U-SET P)))) 

(EXISTS-SOME (GREATEST-LOWER-BOUND-OF S P))))) 

Figure 1.4: Some Ontic Definitions 
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equal to x under the ordering imposed by the poset p. The type generator 
GREATEST-LOWER-BOUND-OF is similar to LOWER-BOUND: it takes a set s and a 
poset p where s is a subset of the underlying set of p and yields a type. An 
object x is an element of the type (GREATEST-LOWER-BOUND-OF s p) just in 
case a; is a lower bound of s in the poset p and every lower bound of s in p 
is greater or equal to x. The type COMPLETE-LATTICE is defined so that an 
object p is of type COMPLETE-LATTICE just in case p is a poset such that for 
every subset s of the underlying set of p there exists a greatest lower bound 
of s under the ordering imposed by p. 

The type restrictions on the formal parameters of functions and type 
generators determine a distinction between well-typed and ill-formed expres- 
sions. The Ontic system will not invoke the definition of a function or type 
generator unless the arguments to the function or type generator have been 
proven to be of the correct type; the Ontic system effectively type-checks 
expressions before it expands definitions. Given the expressive power of the 
Ontic type system, however, one can easily show that there are well-typed 
expressions which fail to type check. In the Ontic system type checking in- 
volves theorem proving based on a lemma library. Many of the lemmas of the 
lemma library state that certain objects have certain types; not surprisingly, 
such lemmas play an important role in determining if an expression is well 
typed. It is often the case that a given expression fails to type check using 
one lemma library but succeeds in type checking given a stronger lemma 
library. 



1.2.5 Summary 

In addition to providing a distinction between well-typed and ill-formed ex- 
pressions, the Ontic type vocabulary seems to allow for concise and natural 
formal statements. For example the IS-EVERY phrase constructor allows the 
concise expression of statements that would normally require explicit quan- 
tification. Similarly, the EXISTS-SOME phrase constructor uses the type vo- 
cabulary to make concise existential statements. Types are also used directly 
by the phrase constructors THE-SET-OF-ALL, THE, and EXACTLY-ONE. 

The definitions in figure 1.4 should provide an indication of the con- 
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ciseness and expressive power of the Ontic language. Jonathan Rees spent 
about a month defining various mathematical concepts in Ontic. Starting 
with only the fundamental notions described above, he used the Ontic lan- 
guage to formally define groups, rings, ideals in a ring, fields, the natural 
numbers, the real numbers (defined both as a totally ordered complete field 
and as Dedekind cuts), topological spaces, continuous functions, homotopy 
of maps between topological spaces, the fundamental group of a topological 
space, differentiable functions on the reals, the derivative of a function, the 
notion of a category and products and limits in arbitrary categories. The ease 
with which Rees expressed these concepts suggests that any mathematical 
concept can be readily expressed in Ontic. 



1.3 Examples of Verification 

Object-oriented inference operates in a context. A context consists of three 
things: a lemma library, a set of focus objects and set of suppositions about 
the focus objects. Figure 1.5 gives a block diagram of the object-oriented 
inference mechanisms used in the Ontic system. The inference process is 
forward chaining; it draws conclusions from the lemma library without being 
given any goal formula. It is well known that unrestricted forward chaining 
from a large lemma library leads to an immediate combinatorial explosion 
— vast numbers of formulas are generated where each formula can be de- 
rived from the given lemmas in only a few steps. The forward chaining 
inference mechanisms used in the Ontic system, however, are guided by the 
focus objects. The focus objects are Ontic terms, expressions that denote ob- 
jects. The system restricts its inference process to formulas that are in some 
sense "about" the focus objects. There are four basic inference mechanisms: 
Boolean constraint propagation, congruence closure, focused binding (also 
called semantic modulation), and automatic universal generalization. The 
first two inference mechanisms are well known inference procedures for the 
quantifier-free predicate calculus with equality. The last two inference mech- 
anisms are unique to the Ontic system. These four inference mechanisms are 
discussed in section 1.4 and again in more detail in chapters 4 and 5. In a 
given context the four forward chaining inference mechanisms generate a set 
of formulas about the focus objects called "obvious truths". 
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Lemma Library 



Focus Objects 



Suppositions 



Boolean Constraint Propagation 



Congruence Closure 



Focused Binding 



Automatic Universal Generalization 



^ 



Obvious Truths 



Figure 1.5: A Block Diagram of Object-Oriented Inference 
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(let-be F faii ly-of-sets) 

(let-be S set) 

(suppose (is-every (eeeber-of F) (superset-of S)>) 



Otitic Listener 



Ontic Stack 



3 (SUPPOSE (IS-EVERY (flEIIBER-OF F> (SUPERSET-OF S)>) 



2 (LET-BE S SET) 



1 (LET-BE F FflfllLY-OF-SETS) 



Figure 1.6: The Ontic Interpreter Display 
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The Ontic interpreter is an interactive system for verifying proofs. Each 
step in an argument is associated with a context, i.e. a set of focus objects, 
a set of suppositions about the focus objects and the current lemma library. 
The user tells the system when to enter new contexts, when to leave old 
contexts, and when to "note" a fact that has been established in a given 
context. Figure 1.6 shows the display of the Ontic interpreter as seen by a 
user who is about to verify a fact concerning families of sets. The top half of 
the display is a Lisp listener: a window for interacting with a Lisp interpreter. 
The bottom half of the display shows the context stack which displays the 
set of suppositions and focus objects for the current context. In the example 
shown in figure 1.6 the user first instructs the system to let F be a family of 
sets. This caused the system to enter a context in which it is focusing on an 
arbitrary family of sets denoted by F. The user then instructs the system to 
let S be any set. This causes the system to enter a context where it is focusing 
on an arbitrary set S. Finally the user instructs the system to suppose that 
every set in the family F is a superset (i.e. contains) the set S. Each time 
a new context is entered, the instruction for entering that context is pushed 
f~S onto the context stack shown in the bottom half of the display. By looking 

at the context stack display one can determine the set of focus objects and 
suppositions that are currently active. 

Figures 1.7 through 1.13 show successive stages in the verification of a 
simple fact concerning families of sets. Let F be a family of sets, let S be 
a set and suppose that every member of the family F contains the set S. 
Figures 1.7 through 1.13 present an argument showing that the set S must 
be a subset of the intersection of the members of the family F. Figure 1.7 
shows the definition of the function FAMILY-INTERSECTION which takes a 
family of sets and returns the intersection of all its members. In Figure 1.7 
the user asks the system to abbreviate the term (FAMILY- INTERSECTION F) 
with the symbol INT. This causes the intersection INT to become a focus 
object. The user then asks the system if the set S is a subset of INT and 
the system says it doesn't know. The user then states that the formula 
(IS S (SUBSET-OF INT)) is a goal to be proven. This last instruction has 
no effect on the context; the system is not goal directed and ignores goals 
which appear on the context stack. Goals act as comments which improve 
the readability of proofs (the written form of proofs will be discussed later). 
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(deftera (f aei ly-intersect ion (F f ai i I y-of-sets) ) 
(the-set-of-all 

(iaabda (<x (eeaber-of-aeaber F))) 

(is-every (aeaber-of F> (set-containing x)>))> 
DEFINING FflfllLY-INTERSECTION 
[ONTIC :DEFINED-FUNCTION-SYnBOL FflHILY-INTERSECTION] 

(let-be INT (faai ly-intersect ion F)> 

(is? S (subset-of INT)) 
I-DONT-KNOU 

(push-goal (is S (subset-of INT))) 



Otitic Listener 



On tic Stsck 



S (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FArtlLY-INTERSECTION F)) 



3 (SUPPOSE (IS-EVERY (HEHBER-0F F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F FfldlLY-OF-SETS) 



Figure 1.7: Statement of a New Lemma to be Proved 
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< I et-be X (eeaber-of S)) 

»Error: You have not established (EXISTS-S0I1E (HEflBER-OF S)) 

CPROPERTY LET-BE ONTIC:CONSTRUCTOR-FUNCTION> : 

flrg 9 (ONTIC:flBBREV): X 

flrg 1 (ONTIC:TYPE): (HEHBER-0F S) 

Rest arg (FORflULfl): NIL 
s-R, <«bi>: Back to fraee 5 read-eval-pr int 
!ZJ! Return to Lisp Top Level in Ontic Listener 

s *" Restart process Lisp Pane 1 



Ontic Listener 



On tic Stack 



6 (LET-BE X (HEflBER-OF S)> 



S (PUSH-GOAL (IS S (SUBSET-OF INtHT 



4 (LET-BE INT ( FfiM IL Y- I NTERSECTI ON F)f 



3 (SUPPOSE (IS-EVERV (MEnBER-OF F) (SUPER SET-QF s 7T7 



2 (LET-BE S SET) 



<LET-BE F FfllllLY-OF-SETS) 



f% 



Figure 1.8: A Failed Instruction to the Interpreter 
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(suppose (exists-soie (»e*ber-of S))) 

(let-be X (eeeber-of S>> 

(is? X (eeeber-of INT)) 
I-D0NT-KN0U 



Ontic Listoner 



Ontic St&ck 



7 (LET-BE X (IIEnBER-OF S)> 



6 (SUPPOSE (EXISTS-SOHE (HERBER-OF S))) 



5 (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FflniLY-INTERSECTION F)) 



3 (SUPPOSE (IS-EVERY (HERBER-OF F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F FflflILY-OF-SETS) 



Figure 1.9: Supposing the Existence of Objects of Certain Kind 
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;(daftara (f aai ly-intersection (F faii !y-of-sets)) 

; (tha-set-of-al I 

; (laabda ((x (aaaber-of-Beaber F))) 

; (is-avary (aaabar-of F) (sat-containing x))))) 

(lat-ba S2 (aaabar-of F>) 

(is? X (aaabar-of S2)> 
YES 

(is? X (aaabar-of INT)) 
YES 

(is? S (SUBSET-OF INT)) 
YES 

(nota-goal ) 



Ontic Listener 



Ontic Stack 



8 (LET-BE S2 (flEMBER-OF F)) 



7 (LET-BE X (HEHBER-OF S)) 



6 (SUPPOSE (EXISTS-SOHE (riEflBER-OF S))) 



5 (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FflHILY-INTERSECTION F)> 



3 (SUPPOSE (IS-EVERY (flEHBER-OF F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F Ffif1ILY-0F-SETS> 



Figure 1.10: Establishing the Goal in a Certain Context 
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[Abort] 
NIL 

[Abort] 
NIL 

(is? S (subsat-of INT)) 
YES 



On tic Listener 



On tic Stack 



6 (SUPPOSE (EXISTS-SOME (MEPIBER-OF S))) 



5 (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FflfllLY-INTERSECTION F)) 



3 (SUPPOSE (IS-EVERY (flEtlBER-OF F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F FAHILY-OF-SETS) 



Figure 1.11: Bringing the Result Back to an Earlier Context 
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[Abort] 
NIL 

(is? S (subset-of INT)) 
I-DONT-KNOU 



Ontic L/'stener 



On tic Stsck 



5 (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FAHILY-INTERSECTION F)) 



3 (SUPPOSE (IS-EVERY (IIEnBER-OF F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F FAniLY-OF-SETS) 



/">, 



Figure 1.12: The Result Does Not Move Past Relevant Suppositions 
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(note-goal ) 
T 

(is? S (subset-of INT)) 
YES 



Ontic List&n&r 



Ontic Stack 



5 (PUSH-GOAL (IS S (SUBSET-OF INT))) 



4 (LET-BE INT (FAI1ILY-INTERSECTI0N F)) 



3 (SUPPOSE (IS-EVERY (HEflBER-OF F) (SUPERSET-OF S))) 



2 (LET-BE S SET) 



1 (LET-BE F FflHILY-OF-SETS) 



Figure 1.13: A Simple Automatic Refutation Finishes the Proof 
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To show that the set S is a subset of INT we must show that every member 
of S is a member of INT. To do this we can consider some arbitrary member 
X of the set S. In figure 1.8 the user tells the system to do so. However, 
the system complains that we have not yet established that such members 
exist; the set S might be empty. In general the system ensures that every 
object being considered is known to exist. In order to consider an arbitrary 
member of the set S we must first assume that such members exist. In figure 
1.9 the user first instructs the system to suppose that there are members 
of the set S and then he instructs the system to consider a particular (but 
arbitrary) member X. The user then asks the system if X is a member of INT 
and the system doesn't know. At this point the user may be mystified as to 
why the system does not "see" the obvious fact that X is indeed a member 
of the family intersection INT. Before proceeding further, the user reviews 
the definition of the function FAMILY-INTERSECTION as shown in figure 1.10. 
This definition states that X is a member of the family intersection just in 
case X is a member of every set in the family F. In figure 1.10 the user 
shows that X is a member of the intersection INT by showing that X is a 
/"""% member of an arbitrary set S2 in the family F. This is done by considering an 

arbitrary member S2 of the family F. In this scenario, instances of the type 
FAMILY- OF-SETS are by definition non-empty and thus we do not need the 
additional assumption that F is non-empty. When the system focuses on the 
member S2 of the family F it "sees" that because X is a member of S, and 
S is a subset of S 2, X is a member of S2. At this point the system performs 
an automatic universal generalization. Since S2 is an arbitrary member of 
F, and since X has been shown to be a member of S2, it follows that X is a 
member of every member of F. Furthermore since X is an arbitrary member 
of S the system can perform yet another automatic universal generalization 
and conclude that all members of S must be members of INT and thus S is a 
subset of INT. Asking the system a question has no effect on the state of the 
system; the questions shown in figure 1.10 serve only to indicate the line of 
reasoning used by the system. The problem was actually solved by forward 
chaining as soon as the last context was entered. 

The forward chaining inference mechanisms establish the goal in the con- 
text shown in figure 1.10. In order to remember that the goal has been 
proven, the system must update the underlying lemma library. More specif- 
ically, if the lemma library were not updated, then when the user returned 
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to a previous context, nothing would have been learned; the set of "obvious 
truths" in a context is determined by the lemma library, the focus objects 
and the suppositions. In the scenario shown in figure 1.10 the user explicitly 
updates the lemma library by calling the function MOTE-GOAL. In this case 
the system adds the following lemma: 

(FORALL ((F FAMILY-OF-SETS) 
(S SET)) 

(=> (AND (IS-EVERY (MEMBER-OF F) (SUPERSET-OF S)) 
(EXISTS-SOME (MEMBER-OF S))) 
(IS S (SUBSET-OF (FAMILY-INTERSECTION F))))) 

In any context, the user can instruct the system to note any formula that 
is obviously true in that context. The function NOTE-GOAL is just an abbre- 
viation for noting the latest goal which has been pushed onto the context 
stack; the same effect would have been achieved if the user had typed 

/-\ (NOTE (IS S (SUBSET-OF INT))) 

When a formula is noted the system constructs the implication which 
states that suppositions active in the current context imply the noted for- 
mula. The system then adds the universal closure of that implication to the 
permanent lemma library. Note that in this case we have not really proven 
the desired lemma; we have only proven it for the case where the set S is 
non-empty. 

Figure 1.11 shows that with the updated lemma library, the desired result 
is "obvious" in the context associated with stack frame 6. However, the result 
must still be proven for the case where S is empty; figure 1.12 shows that 
the result has not yet been established at stack frame 5. But the case for 
the empty set is trivial, and in figure 1.13 the user simply asks the system 
to note the goal. Since the goal is not known directly at frame 5, the system 
does a refutation proof; it enters a context where the goal is assumed to be 
false. Given the new lemma shown above, the forward chaining inference 
mechanisms are able to derive a contradiction from the negation of the goal, 
and thus the goal is established by refutation. Thus the note-goal in figure 
1.13 has the effect of adding the following lemma to the lemma library. 
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(FORALL (CF FAMILY-OF-SETS) 
(S SET)) 

(=> (IS-EVERY (MEMBER-OF F) 

(SUPERSET-OF S)) 
(IS S (SUBSET-OF (FAMILY-INTERSECTION F))))) 

The "proof" shown in figures 1.7 through 1.13 is automatically recorded 
by the system; Figure 1.14 shows an automatically generated textual repre- 
sentation of the complete proof. Evaluating the form shown in figure 1.14 
with the Lisp interpreter causes the above two lemmas to be proved and 
added to the lemma library. (The second lemma makes the first one obsolete 
and the user can, if he wishes, explicitly delete the first lemma after the proof 
has been done.) 

The textual representation of proofs involves IN-CONTEXT expressions. In 
general an IN-CONTEXT expression is composed of two parts: a "context def- 
inition" and a body; the context definition specifies the construction of a 
new context by giving a list of context-constructing instructions. The body 
is a list of instructions to be executed in the specified context. The body of 
an IN-CONTEXT expression may contain embedded IN-CONTEXT expressions. 
Embedded contexts inherit the focus objects and suppositions of outer con- 
texts. 

The two note-goal expressions in figure 1.14 correspond to the case anal- 
ysis performed in the interactive proof. The first note-goal notes that if there 
exists a member of S then the theorem is true. The second note-goal invokes 
a refutation proof which effectively handles the case where S is empty. In 
general multiple note-goals for the same goal correspond to a case analysis. 
Often, as in this example, the context for the last case does not need to be 
explicitly constructed because an automatic refutation process initiated by 
the last note-goal effectively constructs the context for the last case. 

The Ontic interpreter is able to use a large lemma library without human 
assistance; the system automatically applies facts from the lemma library 
whenever it enters a new context. Figure 1.15 shows the lemma established 
by the proof in figure 1.14 together with two other facts: for every family 
of sets F, every member of F contains (as a subset) the family intersection 
of F; and, for two sets, if each is a subset of the other, then the two sets 
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(IN-CONTEXT ((LET-BE F FAMILY-OF-SETS) 
(LET-BE S SET) 
(SUPPOSE (IS-EVERY (MEMBER-OF F) 

(SUPERSET-OF S))) 
(LET-BE INT (FAMILY- INTERSECTION F)) 
(PUSH-GOAL (IS S (SUBSET-OF INT)))) 

(IN-CONTEXT ((SUPPOSE (EXISTS (MEMBER-OF S))) 
(LET-BE X (MEMBER-OF S)) 
(LET-BE S2 (MEMBER-OF F))) 
(NOTE-GOAL)) 

(NOTE-GOAL)) 

Figure 1.14: The History 

(FORALL ((F FAMILY-OF-SETS) 
(S SET)) 
(=> (IS-EVERY (MEMBER-OF F) 

(SUPERSET-OF S)) 
(IS S (SUBSET-OF (FAMILY-INTERSECTION F))))) 

(FORALL ((F FAMILY-OF-SETS) 
(S (MEMBER-OF F))) 
(IS (FAMILY-INTERSECTION F) 
(SUBSET-OF S))) 

(FORALL ((SI SET) 
(S2 SET)) 
(=> (AND (IS SI (SUBSET-OF S2)) 
(IS S2 (SUBSET-OF SI))) 
(= SI S2))) 



Figure 1.15: Some Simple Facts 
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(IN-CONTEXT ((LET-BE S SET) 

(LET-BE S2 (SUBSET-OF S)) 
(LET-BE F (THE-SET-OF-ALL 

(AND-TYPE (SUBSET-OF S) 

(SUPERSET-OF S2))))) 
(IN-CONTEXT ((PUSH-GOAL (= S2 (FAMILY- INTERSECTION F)))) 
(IN-CONTEXT ((LET-BE INT (FAMILY- INTERSECTION F)) 
(LET-BE S3 (MEMBER-OF F))) 
(NOTE-GOAL)))) 

Figure 1.16: A Proof Using Lemmas 

are equal. Figure 1.16 is a proof which makes use of the facts in figure 1.15. 
We assume that the lemmas in figure 1.15 have been placed in the lemma 
library and are therefore available to the Ontic interpreter. The proof in 
figure 1.16 goes as follows: Let S be any set and let S2 be any subset of 
S. Let F be the set of all subsets of S which contain the set S2. We wish 
to show that the family intersection of F equals the set S2. First the user 
focuses on the family intersection of F by abbreviating this intersection with 
the symbol INT. Next the user focuses on an arbitrary member of the family 
F. Focusing on arbitrary member of F causes the system to "realize" various 
facts about F. For example every member of F is a set and thus F is a family 
of sets. By proving that F is a family of sets the system establishes that 
the term (FAMILY-INTERSECTION F) is well typed and thus the definition of 
FAMILY-INTERSECTION can be invoked. Furthermore S3 is a superset of S2 
so S2 is a subset of S3 and by universal generalization S2 is a subset of every 
member of F. Once the system deduces that F is a family of sets and every 
member of F is a set which contains S2 the system automatically applies the 
first lemma in figure 1.16 and realizes that S2 is a subset of the intersection 
INT. The system also realizes that the set S2 is a member of the family F and 
applies the the second lemma in figure 14 thus realizing that the intersection 
INT is a subset of S2. Finally the system applies the the third fact in figure 
1.15 and realizes that INT equals S2. 

Actually the Ontic interpreter makes no distinction between definitions 
and lemmas; definitions are just universally quantified equations which are 
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accessed in the same manner as lemmas. The proof shown in figure 1.16 
relies on definitions as well as the lemmas shown in figure 1.15. The proof 
shown in figure 1.14 does not involve any previously proven lemmas but it 
does involve the definition of the intersection of a family of sets. 

In general, the user need not make explicit references to definitions and 
lemmas. The user relies on the system to use definitions and lemmas when- 
ever they are appropriate. For example, consider an arbitrary lemma of 
following form: 

(FORALL «x n) (y r 2 )) $(x, y)) 

This "lemma" might actually be a definition in which case $ is an equation 
or logical equivalence. The Ontic system will automatically use this lemma 
in any context where there are two focus objects A and B such that A is an 
instance of Ti and B is an instance of r^. In general, a universally quantified 
lemma such as the one shown above will be instantiated with all combina- 
tions of focus objects that match the type restrictions of the lemma. Once 
f*^. the lemmas have been instantiated with the focus objects, the system applies 

the forward chaining inference techniques of Boolean constraint propagation, 
congruence closure, and automatic universal generalization. The instantia- 
tion process that invokes facts from the lemma library is a graph-theoretic 
marker-propagation inheritance mechanism called focused binding or seman- 
tic modulation. The focused binding mechanism achieves the effect of instan- 
tiation but avoids constructing the formulas that result from the syntactic 
substitutions done by normal instantiation. 

One way of measuring the performance of a verification system is to com- 
pare the length of a natural argument with the length of a corresponding 
machine readable proof. The ratio of the length of a machine readable proof 
to the length of the corresponding natural argument is called the expansion 
factor for that proof. Figure 1.17 shows both an English natural argument 
(taken from a textbook on lattice theory, [Gratzer 78] page 24) and a corre- 
sponding Ontic proof. The natural argument contains 75 words and mathe- 
matical symbols, while the Ontic proof contains 73 symbols, yielding a word 
count expansion factor of about one. For the most part the "clear and nec- 
essary" steps of this particular natural argument correspond to statements 
that the Ontic interpreter can verify in a single step. 
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Proof. Let P be a poset in which V S exists for all S C P. For 
H C P, let if be the set of all lower bounds of jET. By hypothesis 
Vif exists; set a - \i K. If h e H, then ft > k for all fc € K; 
therefore h > a and a € K. Thus a is the greatest member of K , 
that is a = A H. 



(IM-CONTEXT ( (LET-BE P POSET) 

(SUPPOSE (FORALL ((S (SUBSET-OF (U-SET P)))) 

(EXISTS (LEAST-UPPER-BOUND-OF S P)))) 
(LET-BE H (SUBSET-OF (U-SET P))) 
(PUSH-GOAL 

(EXISTS (GREATEST-LOWER-BOUND-OF HP)))); #1 

^S (IN-COMTEXT 

((LET-BE K (THE-SET-OF-ALL (LOWER-BOUND-OF HP))) 
(LET-BE a (THE (LEAST-UPPER-BOUND-OF K P)))) 

(IN-CONTEXT ((PUSH-GOAL (IS a (LOWER-BOUND-OF HP)))); #2 
(IN-CONTEXT ((SUPPOSE (EXISTS (MEMBER-OF H))) 
(LET-BE hO (MEMBER-OF H))) 

(IN-CONTEXT 

((PUSH-GOAL (IS hO (UPPER-BOUND-OF K P)))); #3 
(IN-CONTEXT 

((SUPPOSE (EXISTS (MEMBER-OF K))) 
(LET-BE kO (MEMBER-OF K))) 
(NOTE-GOAL)); #3 
(NOTE-GOAL))); #3 

(NOTE-GOAL)); #2 

(NOTE-GOAL))); #1 

Figure 1.17: Least upper bounds yield greatest lower bounds. 
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The natural argument shown in figure 1.17 concerns complete lattices. 
A complete lattice is a partially ordered set P such that every subset of P 
has both a least upper bound and a greatest lower bound. The arguments 
in figure 1.17 show that if every subset of a partially ordered set P has a 
least upper bound, then every subset of P must also have a greatest lower 
bound. In the argument from Gratzer's book, shown in figure 1.17, the least 
upper bound of a set H is denoted V H and the greatest lower bound of H 
is denoted A H. In the Ontic proof the goals are numbered so that one can 
more easily see the association between the statement of the goal and the 
achievement of the goal. 

A different measure of the length of an argument or proof is obtained by 
counting the number of type expressions rather than words. The number of 
type expressions used in an argument provides a rough measure of the number 
of "statements" involved. A direct translation of the natural argument in 
figure 1.17 into Ontic would contain 14 type expressions while the actual 
Ontic proof contains only 13 type expressions yielding an expansion factor 
of about one. Thus the basic result that the Ontic proof is about the same 
length as the English proof does not depend on the particular way in which 
one measures length. 

In checking the proof in figure 1.17 the Ontic interpreter makes use of a 
large lemma library. The system uses some basic facts about partial orders 
together with the following facts: 

1. The definitions of the concepts involved, e.g. the definition of partial 
orders, lower bound, least member and greatest lower bound. 

2. The fact that if s is a subset of a partially ordered set p then the set 
of all lower bounds of s is a subset of p. 

3. The fact that for any subset s of a partially ordered set p, there is at 
most one least upper bound of s. 



One can argue that the expansion factor measured for the proof of figure 
1.17 is too low because the Ontic interpreter was allowed to use preproven 
lemmas that are not shown in the formal proof. But all of the lemmas used 
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Lemma Predicate Count Word Count 

Expansion Factor Expansion Factor 

If arbitrary least up- .9 1.0 

per bounds exist then arbi- 
trary greatest lower bounds 
also exist. 

Every filter is contained in 1.3 1.2 

an ultrafilter. 

If F is an ultrafilter and 2.1 2.7 

x V y e F then x 6 F or 

yEF. 

Every Boolean algebra is iso- 2.0 1.7 

morphic to a field of sets. 



Table 1.1: Various Measurements of the Expansion Factor 



by the Ontic interpreter in proving this theorem are of general interest and 
have in fact been used in several different contexts. Furthermore the last two 
lemmas listed above have simple one or two line proofs in the Ontic system 
and thus if those lemmas had not been in the lemma library the proof shown 
in figure 1.17 would not be much longer. 

It seems likely that human mathematicians unconsciously invoke a large 
data base of general facts when they think about mathematical objects. Fur- 
thermore, it seems likely that in familiarizing oneself with a new domain one 
must verify a large body of "trivial" facts and incorporate these facts into 
the way one thinks about the domain. 

Bell and Machover's text on mathematical logic gives a more concise proof 
of the lemma of figure 1.17 ([Bell &; Machover 77] page 127). In the proof a 



f*\ 



f^S 



jT*\ 



34 CHAPTER 1. ONTIC IN BRIEF 

least upper bound is called a supremum and a greatest lower bound is called 
an infimum. 



Let L be a partially ordered set in which each subset has a 
supremum. Let X be a subset of L, and let Y be the set of lower 
bounds of X in L. Then Y has a supremum z and it is not hard 
to see that z is the infimum of X. 



A direct translation of the statements in Bell and Machover's into the 
language Ontic would contain 7 type expressions while the machine verifiable 
Ontic proof has 13 type expressions yielding a predicate count expansion 
factor of about two. While Bell and Machover's proof is clearly shorter than 
Gratzer's proof, Bell and Machover's proof includes the phrase "and it is not 
hard to see that" . This phrase seems to be an admission that the given proof 
is not complete. Gratzer's proof, on the other hand, contains no such phrase 
and we must take Gratzer's proof as a fully expanded (complete) proof. 

The appendix contains a complete listing of a mathematical development 
that ends with a proof of the Stone representation theorem for Boolean lat- 
tices. This appendix provides a large number of examples of Ontic proofs 
and these proofs can be used to evaluate the Ontic verifier. Table 1.1 shows 
four expansion factor measurements taken from four of the larger proofs done 
in the Ontic system. The table lists both a predicate count expansion factor 
and a word count expansion factor for each test case. Both the natural ar- 
gument and the corresponding Ontic proofs for each test case can be found 
in the appropriate sections of the appendix. 

The machine readable proofs underlying table 1.1 relied on an extensive 
lemma library and the expansion factor measurements are thus open to the 
criticism that parts of the machine readable proof have been hidden in the 
lemma library. However, once a sufficiently large lemma library has been 
constructed, it should be possible to prove new theorems without extending 
the basic lemma library. I believe that the numbers listed in table 1.1 are 
accurate in that, with a mature lemma library, new theorems can be verified 
with small expansion factors even if the expansion factor takes into account 
all lemmas added during the verification. 
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1.4 The Inference Mechanisms 



All of the inference mechanisms used in the Ontic system manipulate label- 
ings of a graph structure. More specifically, the Ontic system compiles the 
lemma library into a graph structure where the nodes in the graph struc- 
ture correspond to unique expressions in the formal language. There are 
nodes that correspond to terms, formulas, type expressions, function expres- 
sions and type generator expressions. The graph structure has nine different 
kinds of "links" where each link expresses a certain way that nodes are re- 
lated. For example if n is the node corresponding to the type expression 
(LOWER-BOUND-OF s p) then there is a subexpression link that relates n to 
the three nodes that correspond to the expressions LOWER-BOUND-OF, s and p. 
There are also links that express Boolean constraints among formula nodes, 
links that relate a lambda function to the node representing the bound vari- 
able and the body of that expression, and six other kinds of links. 

A labeling of the graph structure consists of two parts: a partial truth 
labeling on formula nodes, and a color labeling on all nodes. For each formula 
node p the partial truth labeling either assigns p the label true, assigns p the 
label false, or leaves p unlabeled. The color nodes represent an equivalence 
relation on nodes: two nodes with the same color label are considered to be 
equivalent, i.e. proven equal in the current context. Whenever an inference 
is made the system updates the labeling: either a formula is assigned a truth 
label or two equivalence classes are merged by recoloring one class to be the 
same color as the other class. Any such inference process for updating labels 
on a fixed graph structure must terminate because there are only finitely 
many formula nodes which can be assigned truth labels and every merger of 
equivalence classes reduces the number of equivalence classes remaining and 
the number of equivalence classes can not drop below one. 

The same underlying graph structure can be used in many different con- 
texts. Graph structure is never thrown away: each time new graph structure 
is created it is saved for use in other contexts. Truth and color labels, on 
the other hand, are temporary; they are thrown away, for example, when the 
system stops considering a particular supposition or focus object. 

This section presents an informal description of the inference mechanisms 
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which operate on the graph structure and the way in which the graph struc- 
ture is constructed from the lemma library. A precise description of the 
inference mechanisms and graph structure is presented in chapters 4 and 5. 
Chapter 6 contains a precise description of the Ontic language and chapter 7 
contains a precise description of the way the lemma library is compiled into 
graph structure. 

1.4.1 Inference Mechanisms for Quantifier- Free Logic 

Boolean constraint propagation and congruence closure were originally de- 
signed as inference techniques for quantifier-free logic. Boolean constraint 
propagation adds truth labels in response to Boolean constraints and pre- 
vious truth labels. For example, if the node for the implication (=> $ \P) 
is labeled true, and the node for 4> is labeled true, then Boolean constraint 
propagation will ensure that the node for \? is labeled true. Similarly, if the 
node for (=> $ \P) is labeled true, and the node $ is labeled false, then 
Boolean constraint propagation will ensure that the node for $ is labeled 
false. 

Boolean constraint propagation is also responsible for ensuring a certain 
relationship between color labels and the truth labels of nodes representing 
equalities. To ensure this relationship the system may merge equivalence 
classes in response to the addition of a truth label or, alternatively, add a 
truth label in response to the merger of equivalence classes. More specifi- 
cally, let pbea node which represents an equation between the expressions 
represented by nodes n\ and n 2 . If the equality node p is assigned the label 
true then the system ensures that nodes ni and n 2 have the same color label, 
i.e. are in the same equivalence class. On the other hand if the nodes rci 
and ri2 are in the same equivalence class then the system ensures that p is 
assigned the label true. 7 

Congruence closure is responsible for ensuring that the equivalence rela- 
tion represented by the color labels respects the substitution of equals for 
equals. For example consider terms (POWER-SET si) and (POWER-SET s 2 ). 



7 If ni and n^ are in the same equivalence class and the equality node p has been labeled 
false by some other inference process then the system signals a contradiction. 
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Congruence closure ensures that if the nodes representing the terms si and s 2 
have the same color label (are in the same equivalence class) then the nodes 
representing the expressions (POWER-SET «i) and (POWER-SET s 2 ) also have 
the same color label. When two equivalence classes are merged congruence 
closure may merge additional equivalence classes in order to ensure that the 
equivalence relation respects the substitution of equals for equals. 



1.4.2 Generic Individuals, Classification, and Focused 
Binding 

Recall that a context consists of a lemma library, a set of focus objects and 
a set of suppositions about the focus objects. Focused binding is a way of 
applying the universally quantified formulas in the lemma library to the focus 
objects in a context. This is done using an inheritance mechanism similar 
in spirit to Fahlman's virtual copy mechanism based on marker propagation 
[Fahlman 79]. More specifically, each type r which has been compiled into 
a node in the graph structure is associated with a set of (typically two or 
three) generic individuals of that type. Information that is known to hold for 
a given type is explicitly stated about the generic individuals of that type. A 
focus object which is known to be an instance of type r becomes a "virtual 
copy" of one of the generic individuals of type r and thus inherits information 
from that individual. 

Each generic individual is a term node in the graph structure. Information 
which is known to hold for the type r is explicitly stated about each generic 
individual of type r. More specifically, if the system compiles into graph 
structure a universal formula of the form 

(FORALL ((x r)) $(a?)) 

then for each generic individual g of type r which is added to the graph struc- 
ture, the system constructs a Boolean constraint equivalent to the following 
implication. 
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(=> (AND (FORALL ((x r)) $(x)) 
(EXISTS-SOME r)) 

Given the above constraint, if the universally quantified formula is true in a 
context, and instances of type r are known to exist in that context, then the 
body of the universal formula is known to be true for each generic individual 
of type r. In this way everything that is known about the type in general is 
explicitly stated about the generic individuals of that type. 

Classification assigns types to focus objects. Classification is needed in 
order for focus objects to inherit information from generic individuals. The 
system classifies a focus object r by collecting a set, types(r), of types known 
to hold for r according to the following rules: 

1. If the node for the formula (IS r r) is labeled true then r is included 
in types(r). 

2. If 5 is a term that is in the same equivalence class as the focus object 
r, and if the formula (IS s a) is labeled true, then a is included in 
types(r). 

3. If r is a member of types(r), and the formula (IS-EVERY r a) is labeled 
true, then a is included in types(r). 

4. If r is a member of types(r) and a is a type in the same equivalence 
class (with the same color as) r then a is included in types(r). 

Focused binding causes a given focus object to inherit information from 
a given generic individual. More specifically, for each focus object r and 
each type r in the set types(r) the system chooses a generic individual g of 
type r and constructs the binding g \-+ r. The generic individual g can be 
thought of as a typed variable and the binding g *-* r can be thought of 
as a variable binding. In the Ontic system the variable binding g i— > r is 
implemented via the color labels: when the system constructs the binding 
g t— *• r it assigns g and r the same color label, thereby making g equivalent 
to r. When g is made equivalent to r, the congruence closure mechanism is 
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used to "unify" or "match" the expressions involving the generic individual 
g with the expressions involving the focus object r. In this way the focus 
object r becomes a virtual copy of the generic individual g. Since general 
knowledge about the type r is explicitly stated about the generic individual 
g, general knowledge about the type r becomes effectively stated about the 
focus object r. In this way general facts in the lemma library are effectively 
applied to focus objects of the correct type. 

The focused binding process is sometimes called semantic modulation 
because it involves modulating (changing) the interpretation of a fixed generic 
individual. The same generic individual can be bound to different focus 
objects in different contexts. In this way the system modulates the semantic 
denotation of the generic individual, hence the term semantic modulation. 

There are several subtleties involved in focused binding. First, the system 
must not bind the same generic individual to two different focus objects 
simultaneously. For example, consider a generic number g and two numbers 
j and k which are focus objects such that j is an even number and k is an 
odd number. If the system bound the generic number g to both _;' and k 
simultaneously then it could prove that g was both even and odd and thus 
that there exists a number which is both even and odd. 

A second subtlety involves the possibility of circular bindings. Before 
generating a binding of the form g i-> r the system must be sure that r 
does not depend on g. Any term can be given as a focus object. Generic 
individuals themselves correspond to terms in the Ontic language (they are 
Ontic variables) and thus a focus object may be a generic individual or a term 
that contains a generic individual. 8 For example, if g is a generic individual 
ranging over numbers then the term 1 + g might be a focus object. In this 
case one should prevent the binding g i-> 1 + g; no number is equal to the 
next number. The dependency test for avoiding circular bindings is similar 
to the occurs-check done in unification. Given a focus object r of type r 
the system chooses a generic individual g such that g does not "occur in" r. 
Unfortunately the occurs-check performed by the Ontic system is somewhat 



8 By abuse of notation I will identify a generic individual with the corresponding Ontic 
variable. Technically, a generic individual is a node in the graph structure while an Ontic 
variable is a term of the Ontic language. 



/~\ 



40 CHAPTER 1. ONTIC IN BRIEF 

complicated. Consider a generic individual y which ranges over numbers 
which are greater than x, where a; is a generic individual ranging over all 
numbers (y is a generic individual of type (GREATER-THAN x)). The binding 
x h-> 1 + y is illegal because it forces x to be greater than itself. However, x 
is not a free variable of the expression 1 + y. Rather, a; is a free variable of 
the type of y where y is a free variable of 1 + y. We say that an expression 
u depends on a variable x if either x appears free in u or there is some 
free variable y of u such that the type of y depends on x. Unfortunately 
this notion of dependence still does not provide a sound occurs-check in the 
Ontic system: if x and y both range over arbitrary numbers the system 
must prevent the two simultaneous bindings x (-»■ 1 + y and y i-> 1 + x. 
To prevent such circularities the system must take previous bindings into 
account when computing occurs-checks. It turns out that there is a subtle 
interaction between previous bindings and the dependencies introduced by 
types. More specifically, if the system has already constructed the binding 
t/t->« then the type of y can be ignored in the occurs-check procedure. The 
resulting occurs-check procedure runs quickly but the proof that the occurs- 
/*"*% check procedure leads to sound inference is somewhat complex (see sections 

5.2 and 5.3). 



1.4.3 Automatic Universal Generalization 

The fourth inference mechanism used by the Ontic system is automatic uni- 
versal generalization. Universal generalization can be applied when the sys- 
tem has deduced a fact about an arbitrary individual and no assumptions 
have been made about that individual. More specifically, a universal gener- 
alization inference can be made if: 



• g is a generic individual of type r. 

• The system has labeled the node for a formula $(g) true. 

• No assumptions have been made about the individual g other than the 
assumption that it is an instance of type r. 
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• No free variable of ${g) has a type that depends on g. The notion of 
dependence used here is the same as that defined above: r depends on 
x just in case x appears free in r or some free variable of r has a type 
which depends on x. 

When the above conditions are met the system can infer the universal closure 

(FORALL ((x r)) $(x)) 

There are several things to note about automatic universal generalization. 
First, this inference mechanism does not construct new formulas or new graph 
structure; automatic universal generalization is only applied when the graph 
already contains nodes for the formulas <&(g) and the universal closure 

(FORALL ((ar r)) $(&)) 

Second, types play a central role in the automatic universal generalization 
f "^, mechanism. When the system proves the formula $(g) it is allowed to use the 

fact that g is an instance of the type r, and the resulting universal statement 
applies to all instances of r. Third, without the last restriction universal 
generalization is unsound. For example, consider a generic individual y that 
ranges over numbers greater than the generic number x. Without making 
any assumptions about x and y other than that they are both instances of 
their respective types, the system can deduce that x is less than y. It does not 
follow, however, that all numbers are less than y; there is no largest number. 
The fact that x is less than y does not imply that all numbers are less then 
y because the x "occurs in" y; x is a free variable in the type of y. The same 
proof that shows that the Ontic occurs-check procedure is sound for focused 
binding can be used to show that the Ontic occurs-check procedure leads to 
sound universal generalization. 

The above notion of universal generalization can be made more powerful 
by relaxing the restriction that no assumptions have been made about the 
arbitrary individual being generalized over. More specifically one can perform 
universal generalization under the following conditions: 



g is a generic individual of type r. 
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• The system has labeled the node for a formula <&(g) true. 

• The system has bound g via the binding g i— » h. 

• h is a generic individual of type a where a has the same color label as 
r in the current context. 

• No assumptions have been made about h. 

• h does not "occur in" any free variable of $(#) other than g. 

When the above conditions are met the system can infer the universal closure 

(FORALL C(x r)) $(z)) 

Again, note that this inference mechanism does not construct new for- 
mulas or add new graph structure. In order for this inference mechanism to 
be applied, all of the formulas involved must already be compiled into nodes 
in the graph structure. 

To see the importance of the more general automatic universal general- 
ization mechanism, consider a subset s of a partially ordered set p and the 
set u of all lower bounds of s as a subset of p. Now consider a member x of 
s. By definition u is the set of lower bounds of 5 so x is an upper bound of 
u. It turns out that in the Ontic system proving this last statement requires 
universal generalization. More specifically the Ontic system must focus on 
an arbitrary member y of u and note that x is greater than or equal to y. 
Since y is an arbitrary member of «, x is greater than or equal to all members 
of u. In this situation the system will construct the following bindings: 

s' 1— > u 

z\r+y 

Here s' is a generic individual ranging over arbitrary subsets of p and z is a 
generic individual ranging over members of s' . Now y is a generic individual 
ranging over members of u and z is a generic individual ranging over members 
of s', so z and y are different generic individuals whose types happen to be 
equal in the current context. Furthermore z is bound to y. In this situation 
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the system generalizes over the variable z rather than the variable y. The 
system must generalize over z rather than y because the definition of upper 
bound is stated about the generic subset s' rather than the particular subset 
u and thus the quantified formula in question quantifies over members of s' 
rather than members of u. 

All of the inference mechanisms used in the Ontic system run concurrently 
and interact with each other. Inferences can lead to more knowledge about 
the types of focus objects; this can lead to more bindings, which can lead 
in turn to more inference. The time required to finish the overall inference 
process is bounded by the size of the graph structure. This is because the 
inference processes can only add as many truth labels as there are formula 
nodes and can only merge as many equivalence classes as there are nodes 
in total. The factors that contribute to the size of the graph structure are 
discussed below. 



{~\ 1.4.4 The Size of the Graph Structure 

When a new focus object r of type r is introduced, it is possible that all 
generic individuals of type r have either already been bound to other objects 
or occur in the focus object r and thus can not be bound to r. In this case 
the system creates a new generic individual of type r and copies all of the in- 
formation known about type r as explicit statements about that new generic 
individual. Once the generic individual has been constructed, however, it 
is saved and can be used in other contexts. For most arguments there are 
already enough generic individuals in the graph structure to accommodate 
the focus objects and no new graph structure is created. However, if there 
are not enough generic individuals to accommodate the focus objects, then 
generic individuals are created on demand as focus objects are introduced. 
As generic individuals are created the underlying graph structure expands. 

The size of the graph structure created by the Ontic compiler is deter- 
mined by the library of mathematical facts and by the number of generic 
individuals that have been created for each type. Fortunately, for any given 
bound on the level of quantifier nesting, the size of the graph structure is 
linear in the size of the lemma library; the amount of graph structure is the 
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sum over all lemmas of the amount of structure created by each lemma. This 
fact allows the Ontic system to be used with large libraries of mathematical 
facts. However, the cost of an individual lemma can be quite high. Consider 
a lemma of the following form: 

(FORALL ((ar n) (y r 2 ) (z r 3 )) $(x,y,z)) 

The body of this lemma will be copied for each triple gi, g-i, gz where 
gi, gi and g-$ are generic individuals of type T\, t 2 and r 3 respectively. In 
general every quantified formula which is compiled into graph structure gets 
instantiated with every generic individual of the appropriate type. Let |Ti|, 
|r 2 | and |r 3 | be the number of generic individuals for r 1; r 2 , and r 3 respectively. 
The number of copies of the body of the above lemma is: 

l r il • N • N 

Generic individuals are created on demand as new focus objects are intro- 
duced. If no more than n focus objects have been introduced in any one 
context then there will be at most n generic individuals of each type. If the 
maximum number of quantifiers used in any lemma is d then there can be no 
more than n d copies of the body of each lemma. Lemmas rarely involve more 
than three quantifiers and most sessions with the Ontic interpreter involve at 
most five simultaneous focus objects. Thus a typical lemma in a typical ses- 
sion generates no more than 5 3 or 125 instantiations. In practice this number 
is smaller because most lemmas quantify over highly specialized types and 
there are typically only a small number of generic individuals of specialized 
types. Again note that the size of the graph structure is linear in the size of 
the lemma library; the total amount of graph structure is just the sum over 
all lemmas of the amount of structure generated by each lemma. However, 
the size of graph structure is very sensitive to the maximum number of focus 
objects introduced in a given context. A good rule of thumb seems to be 
that the size of the graph structure is proportional to n 3 |E| where n is the 
maximum number of focus objects introduced in any one context and |S| is 
the size of the lemma library. 
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Chapter 2 

Comparison with Other Work 



The Ontic system represents a synthesis of ideas from artificial intelligence 
and automated theorem proving. Constraint propagation is a forward chain- 
ing inference technique that terminates quickly because it monotonically fills 
a finite set of "slots"; the Ontic system monotonically generates truth and 
color labels for nodes in a finite graph structure. Congruence closure is a pow- 
erful theorem proving technique for reasoning about equality. Congruence 
closure is usually viewed as an inference procedure reasoning about equalities 
involving ground (variable-free) expressions. In the Ontic system, however, 
congruence closure is used as an integral part of general first order theorem 
proving. Focused binding, also known as semantic modulation, is closely re- 
lated to inheritance mechanisms which have been developed for knowledge 
representation languages and object oriented computer programming lan- 
guages. Focused binding integrates inheritance with other theorem proving 
mechanisms. Congruence closure is used to implement a strong virtual copy 
mechanism that allows focus objects to inherit from generic individuals. Au- 
tomatic universal generalization is perhaps the simplest and yet the most 
original feature of the Ontic system. Ontic brings all these ideas together in 
a single integrated inference process. 

The first section of this chapter relates each of the four basic inference 
mechanisms used in Ontic with previous work in knowledge representation 
and automated theorem proving. The second section of the chapter relates 
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Ontic's focused binding mechanism to unification. Focused binding and uni- 
fication provide alternative ways of selecting and applying facts from a fact 
library. The third section of the chapter lists various theorem proving mech- 
anisms other than those used in the Ontic system and attempts to show how 
they are related to Ontic. The final section of the chapter lists some of the 
general issues to be considered in constructing a proof verification system and 
discusses how Oxx set term Ontic and various other systems have addressed 
those issues. 



2.1 Inference Mechanisms Similar to Ontic's 

The following four sections discuss each of Ontic's four inference mechanisms 
in turn. The first three inference mechanisms are related to well known 
inference techniques. Ontic, however, brings these mechanisms together in 
an integrated, object oriented theorem proving process. 



2.1.1 Constraint Propagation 

There are many mechanisms in the artificial intelligence literature which 
could be described as constraint propagators. By "constraint propagation" 
I mean an inference process whose running time, or number of processing 
steps, is directly bounded by the size of a finite constraint network. On- 
tic is a constraint propagation system in two ways. First of all, one of the 
fundamental inference mechanisms is Boolean constraint propagation which 
is a special case of the arc-consistency constraint propagation technique for 
general constraint satisfaction problems [Mackworth 77]. Second, all of On- 
tic's inference mechanisms operate by labeling a graph structure. The graph 
structure is analogous to a constraint network in that the total number of 
labeling operations is directly bounded by the size of that graph structure. 

Many artificial intelligence researchers have used constraint propagation. 
Waltz used constraint propagation to filter the possible interpretations of 
lines in a line drawings of polygonal physical objects [Waltz 75]. A line in a 
drawing of a scene can be interpreted as a convex edge on single object, a 
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concave edge on a single object or an edge between two objects. A particular 
interpretation of an edge is called a "label" for that edge. Vertices between 
edges provide constraints on the possible interpretations of edges. In Waltz 
line labeling a forward chaining inference process systematically eliminates 
possible labelings of individual edges. The running time of the process is 
directly bounded by the number of edges and the number of labels that can 
be eliminated. 

The Waltz line labeling procedure can be used in the more general setting 
of an arbitrary constraint satisfaction problem [Mackworth 77]. A constraint 
satisfaction problem consists of a set of variables each of which can be as- 
signed one of a finite set of possible values and a set of constraints where each 
constraint restricts the simultaneous assignments for a given subset of the 
variables. The arc-consistency procedure, which is a straightforward general- 
ization of Waltz labeling, systematically eliminates possible interpretations of 
variables based on local constraints. The running time of the arc-consistency 
procedure is directly bounded by the number of variables and the number 
of possible assignments for each variable. Boolean constraint propagation 
is a special case of the arc-consistency procedure where the variables are 
Boolean, i.e. they can be assigned the labels true or false, and the constraints 
are disjunctive clauses involving the Boolean variables. Boolean constraint 
propagation is described in more detail in chapter 4. 

Sussman and Steele have proposed a language for expressing constraints 
on real valued variables and constraint propagation techniques for dealing 
with such constraints [Sussman & Steele 80]. The number of propagation 
operations performed by Sussman and Steele's system was directly bounded 
by the number of variables involved. 

Nevins constructed a forward chaining geometry theorem prover which 
restricted the forward chaining inference process to an a priori fixed set of 
formulas [Nevins 74]. Nevins' program used a diagram to focus the system's 
attention on certain lines. If a geometry problem has n points then there 
are ("J possible line segments between these points. A diagram, however, 

specifies a subset of the ("J lines, those actually drawn in the diagram. 
By limiting forward chaining to statements about these focused lines, the 
forward chaining process does not generate large numbers of irrelevant facts. 
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With Nevins' focused forward chaining mechanism there is no need for the 
diagrammatic filter used by Gelernter [Gelernter 59]. 

Ontic's inference processes operate on a finite graph structure; the number 
of labeling operations is directly bounded by the size of that graph structure. 
The Ontic system can use the same graph structure in different contexts to 
reason about different focus objects. When a generic individual g is bound to 
a focus object r, a formula involving g can be viewed as a formula involving r; 
in the presence of bindings the formula nodes in the graph structure represent 
formulas about focus objects. Different bindings cause the nodes in the graph 
structure to represent statements about different objects. 



2.1.2 Congruence Closure 

Congruence closure is the process of "closing" an equivalence relation on ex- 
pressions under the inference rule of substitution of equals for equals. Con- 
/*~* N gruence closure was first discussed by Kozen for reasoning about finitely 

presented algebras [Kozen 77]. Congruence closure has also been used by 
Nelson and Oppen in constructing fast decision procedures for a variety of 
problems that arise in automatic program verification [Nelson and Oppen 80] . 
The congruence closure procedure used in the Ontic system, and discussed in 
some detail in chapter 4, is based on the procedure given by Downey, Sethi 
and Tarjan [Downey, Sethi & Tarjan 80]. 

Ontic uses congruence closure both as a mechanism for reasoning about 
equality and as a replacement for unification. The relationship between On- 
tic's use of congruence closure and traditional unification is discussed in sec- 
tion 2.2. 



2.1.3 Focused Binding as Inheritance 

Focused binding can be viewed as an inheritance mechanism: information 
about a type is inherited by instances of that type. Type hierarchies and 
inheritance also play an important role in object oriented programming lan- 
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guages such as Smalltalk [Ingalls 76]. In object-oriented programming, data 
types are organized into a hierarchy where one data type can be a subtype of 
another. Data objects are usually records with data fields. A given data ob- 
ject inherits both data fields and functional behavior from all the supertypes 
of its immediate type. A fairly rigorous, though not very general, treatment 
of some basic ideas in object-oriented programming is given in [Cardelli 84]. 

Type hierarchies and inheritance also play a central role in many knowl- 
edge representation systems and object oriented programming languages. 
Frame-based knowledge representation languages typically allow the user to 
define "concepts" which he or she organizes into an "is-a" hierarchy (e.g. 
[Brachman & Schmolze 85]). A concept represents a class of structured ob- 
jects; the concept is associated with a set of "slots"; an instance of that 
concept is an object with specific "fillers" or "values" for the slots of the 
concept. For example the concept room might have slots ceiling, floor, walls, 
and furniture. Any particular room will have a particular ceiling, a particular 
floor, and a particular set of pieces of furniture. Furthermore, a concept can 
place certain constraints on the slot fillers. For example the concept room 
might specify that the furniture slot is always filled with a set of physical 
objects. The user could introduce the concept auditorium as a specialization 
of the concept room and the concept auditorium would then automatically 
"inherit" the slots and constraints of the concept room. 

Ontic's focused binding mechanism is very similar to Fahlman's virtual 
copy mechanism based on marker propagation [Fahlman 76]. Fahlman pro- 
posed a semantic network formalism in which objects inherit information 
from classes by passing markers along links in the network. The marker 
passing is done in such a way that the object being considered becomes a 
"virtual copy" of generic objects which contain information about classes. 
In the Ontic system color labels are used instead of Fahlman's markers. A 
focus object is made into a virtual copy of a generic individual by assigning 
the generic individual the same color label as the focus object; congruence 
closure ensures that if two nodes have the same color label then they have 
identical properties. 

In the Ontic system inheritance is just one aspect of an integrated theo- 
rem proving mechanism. Generic individuals are viewed as logical variables 
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that range over a given type. Inheritance occurs when a generic individual 
g is bound to a focus object r via a binding g i-> r. Fahlman's inheritance 
mechanism, on the other hand, was not viewed as a formal inference mech- 
anism and Fahlman did not propose integrating his inheritance mechanism 
with other formal inference techniques such as Boolean constraint propaga- 
tion, congruence closure, or automatic universal generalization. 



2.1.4 Automatic Universal Generalization 



Automatic universal generalization arises from a very simple idea: if a fact is 
proven about a generic individual g of type r and no assumptions have been 
made about g other than that g is an instance of r, then the fact holds for all 
instances of r. In spite of the simplicity of the underlying idea, Ontic's uni- 
versal generalization technique seems to be unlike any previous automatic 
inference mechanism. For example, a comparison of Ontic and resolution 
theorem provers shows that when Ontic performs universal generalization it 
is treating a generic individual as a Skolem constant introduced by a univer- 
sally quantified goal formula. But, unlike resolution, the Ontic system does 
not make any distinction between variables and Skolem constants. Generic 
individuals in Ontic are used in three different ways. If instances of a type 
r are known to exist then each generic individual of type r is asserted to be 
an instance of r. In this way the generic individuals can be used as Skolem 
constants introduced by the premise that instances of r exist. But generic 
individuals are also used as variables that can be bound to specific terms in 
much the same way that resolution variables are bound during unification. 
Generic individuals are used in yet a third way by the universal generaliza- 
tion mechanism; universal generalization treats generic individuals as Skolem 
constants introduced by universally quantified goal statements. 

The real novelty of the Ontic system lies in the way that the above four 
inference mechanisms are brought together. Ontic integrates constraint prop- 
agation, congruence closure, inheritance, and universal generalization in a 
single object-oriented labeling process on a fixed graph structure. 
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2.2 Focused Binding vs. Unification 



One of the most striking features of the Ontic system, as compared to other 
theorem proving systems, is that Ontic does not use unification. Unification 
is often used to access information in a data base. A Prolog interpreter, 
for example, takes a goal formula and finds a production in the data base 
whose left hand side unifies with the given goal. A rewrite system takes an 
expression to be simplified and finds a rewrite rule in the data base whose 
left hand side unifies with the expression to be simplified. Under the set- 
of-support heuristic a resolution theorem prover finds a clause in the data 
base such that a literal of that clause unifies with a subgoal in the current 
problem. In all these cases the system is finding an expression in the data 
base which unifies with an expression in the current problem. 

Ontic accesses information in the lemma library via the focused binding 
mechanism. Both unification and focused binding generate variable bindings 
/""*% which are useful to produce specialized instances of the general formulas 

in a data base. However, unification and focused binding generate variable 
bindings in very different ways. Unification starts with the expressions to be 
matched and generates variable bindings which lead to the match. Focused 
binding, on the other hand, starts with focus objects then generates variable 
bindings (bindings of generic individuals) and relies on congruence closure to 
generate "matches" between expressions involving variables and expressions 
involving the focus objects. Unification is a local process: unification is 
used in the application of a single rewrite rule or in a single resolution step. 
Focused binding, on the other hand, is a global process involving an arbitrary 
number of facts from the lemma libraiy. Focused binding is integrated into 
the theorem-proving process. Automated inference and knowledge from the 
lemma library is used both in determining the types which apply to a given 
object and in determining equivalences between expressions after bindings 
have been performed. 

Considerable research has been directed toward incorporating various 
kinds of knowledge (axiomatic theories) into unification. Equational axioms, 
such as the commutativity and associativity properties of addition, can be 
incorporated into the unification process so that, for example, a + x matches 
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b + a with the binding a: i — > 6. Taxonomic information, information involving 
the classification of objects into types, can also be incorporated into the uni- 
fication process. Because Ontic's focused binding mechanism is integrated 
with the theorem proving process, focused binding automatically incorpo- 
rates both equational and taxonomic information into the matching process; 
any lemma in the lemma library may be used in Ontic's matching process. 
However, unlike most unification mechanisms, Ontic's matching process is 
not logically complete: it is possible that two expressions are provably equiv- 
alent and yet the Ontic system fails to match them. This is consistent with 
the overall design philosophy of the Ontic system; to ensure that the system 
always terminates quickly, completeness has been abandoned. 



2.2.1 Unification Relative to Equational Theories 

There has been a considerable amount of research dedicated to incorporating 

equational theories into unification. For example consider addition as an 

/""""N associative and commutative operator. Now consider the problem of unifying 

x + (a + b) and a + (c + b). The binding x h-» c unifies these two terms in the 
sense that the equation 

c+ ( a + b) = a + (c+b) 

follows from the associative and commutative properties of +. 

More generally, let T be a set of universally quantified equations between 
first order terms. For example T might consist of the associative and commu- 
tative laws for addition. A general purpose theorem prover, such as a resolu- 
tion system, could handle the equations in T simply by adding the equations 
in T to the data base of general facts. In practice, however, it seems more 
efficient to incorporate certain equational facts into the unification process. 
Once these facts have been incorporated into the unification process they can 
be removed from the general data base without loss of logical completeness. 

A given set of equational axioms T has a corresponding unification prob- 
lem. For any substitution a and any expression u we define cr(u) to be the 
result of simultaneously replacing all free variables in u with their image un- 
der a. A unification of two expressions s and t relative to the axioms in T is 
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a substitution a which yields a match between s and t relative to T, i.e. such 
that the equational formulas in T imply that a(s) equals cr(t). If F states 
that + is associative and commutative then the substitution {x i— ► c} unifies 
x + (a + b) and a + (c + b) relative to T. The unification problem for T is the 
problem of computing, for any given expressions s and t, a representation of 
all unifications of s and t relative to V. 

If T consists of a single commutative operation then it is easy to determine 
if there exists a unification of any two given terms relative to T. On the other 
hand if T states that a binary operator • is associative, and • distributes over a 
binary operator -f, then there is no procedure which can decide the existence 
of a unification of two arbitrary terms relative to T. These results and others 
are discussed in a review article by Siekmann [Siekmann 84]. 

Unification relative to equational theories can be compared with Ontic's 
focused binding mechanism. Ontic first binds variables (generic individuals) 
of the appropriate type to focus objects and then uses congruence closure to 
"match" expressions involving the variables with expressions involving the 
^""^ focus objects. Ontic's matching process (congruence closure) automatically 

incorporates equations from the lemma library. For example suppose that 
Ontic's lemma library contains the associative and commutative laws for ad- 
dition on the natural numbers. More specifically, suppose the lemma library 
includes the following three lemmas: 

(FORALL ((X NATURAL-NUMBER) 
(Y NATURAL-NUMBER)) 

(= (SUM-OF X Y) 
(SUM-OF Y X))) 



(FORALL ((X NATURAL-NUMBER) 
(Y NATURAL-NUMBER) 
(Z NATURAL-NUMBER)) 

(= (SUM-OF X (SUM-OF Y Z)) 
(SUM-OF (SUM-OF X Y) Z))) 
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(FORALL ((X NATURAL -NUMBER) 
(Y NATURAL-NUMBER) 
(Z NATURAL-NUMBER)) 

(= (SUM-OF X (SUM-OF Y Z)) 
(SUM-OF (SUM-OF Y Z) X))) 

The first and second lemma above express the fact that addition is com- 
mutative and associative respectively. The third lemma follows from the 
other two. If the third lemma were not explicitly given, however, then when 
focusing on three generic numbers gi, g 2 and g 3 the following equation would 
not be obvious to the Ontic system. 

9\ + {92 + 9z) = (#2 + 93) + 9\ 

To prove this equation in the absence of the third lemma, or to prove the 
third lemma from the other two, the system must focus on the sum g 2 + #3 
so that the commutative law is applied to g\ + {g 2 +#3)- The associative and 
commutative laws allow for twelve different ways of writing down the sum of 
f**^ #1, #2 and g 3 : there are six different orders in which the numbers can appear 

and two different ways of parenthesizing each order. In the presence of the 
three lemmas given above all twelve ways of writing the sum are equivalent; 
the twelve nodes in the graph structure that represent the twelve different 
expressions for this sum are all in the same equivalence class; they have the 
same color label. Now suppose the user focuses on three particular numbers 
a, b and c. The Ontic system will bind a generic number to each of these 
three particular numbers; assume that the system generates the bindings 

giv-*a 

g 2 ^b 

93 *-* c 

Given that all twelve expressions for the sum of gi, g 2 and g 3 are in the 
same equivalence class, congruence closure together with the above bind- 
ings ensures that the term a+(b+c) is equivalent to the term b+(c+a). By 
using congruence closure as a matching mechanism, and by precompiling 
equational theories as equations involving generic individuals, the Ontic sys- 
tem automatically performs theory-relative matching. Unfortunately Ontic's 
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matching process is not complete; the incompleteness is demonstrated by the 
need for the third lemma given above. On the other hand, as the example 
shows, one can always improve the power of the matching process by adding 
derived equational lemmas to the lemma library. 

Ontic's focused binding mechanism automatically incorporates any equa- 
tional lemma whatsoever into the congruence closure process; in the Ontic 
system one does not have to design a new theory-relative matching process 
for each new theory as one must do for theory relative unification. Ontic's 
mechanism has the disadvantage however that there is no guarantee of com- 
pleteness — congruence closure may fail to equate semantically equal terms. 

2.2.2 Unification Relative to Taxonomic Theories 

Several researchers have investigated unification relative to theories which 
are not equational. Non-equational theories incorporated into the unification 
j^\ process are sometimes called taxonomic theories because they usually encode 

a classification of objects into types. The separation of "taxonomic" and 
"assertional" information has been discussed in the knowledge representation 
literature [Brachman, Fikes & Levesque 82]. For example consider the axiom 

Va; whale(x) =» mammal(x) 

This axiom expresses an inclusion relation between the "type" whale and 
the type mammal. Inclusion relations of this kind can be incorporated into 
the unification process and need not be stated explicitly in the data base of 
a general purpose theorem prover. 

Walther has given a unification algorithm which handles any taxonomic 
theory expressible as a partial order on class symbols [Walther 84a]. He 
showed that for any such taxonomic theory V and any two typed terms s 
and t the set of all unifications of s and t can be expressed with a finite set of 
most general unifiers (i.e. the unification problem is finitary). Furthermore 
he showed that if the type hierarchy is a tree then there is a single most 
general unifier. 

Ait-Kaci and Nasr have given a unification algorithm for a more expressive 
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class of taxonomic theories and propose using this algorithm in an implemen- 
tation of the programming language PROLOG [Ait-Kaci & Nasr 86]. Stickel 
has investigated the use of taxonomic theories in even greater generality al- 
though Stickel does not address unification as a mechanism for generating 
variable bindings (only the ground case is considered as lifting to the general 
case is "straightforward") [Stickel 85]. 

Ontic's mechanism for inheritance via semantic modulation is based on 
taxonomic information. More specifically, the Ontic system classifies each 
focus object by associating each focus object with a set of types known to be 
true of that focus object. This classification process takes the type hierarchy 
into account. For example if r is a focus object, a is a type known to hold of 
r, and the formula (IS-EVERY cr r) is labeled true, then the classification 
process will collect r as a type known to hold of r. 

Unlike unification, Ontic's focused binding mechanism integrates the use 
of type information with other theorem proving mechanisms. Ontic may 
prove a statement about types and use that statement immediately in clas- 
f~*S sifying the current focus objects. Ontic's focused binding mechanism auto- 

matically incorporates arbitrary lemmas about the types of objects. There is 
no guarantee, however, that Ontic's focused binding mechanism will derive 
all the logical consequences of taxonomic information. 



2.2.3 Higher-Order Unification 

Unification has been generalized to allow for higher-order variables; higher- 
order unification can be used to bind variables that range over functions and 
predicates as well as variables ranging over first order terms. For example, 
consider the induction schema for Peano arithmetic. 



P(0) A Vn (P(n) =► P(n + 1)) => Vn P(n) (2.1) 

In this schema P is a variable which ranges over predicates. This schema 
can be instantiated with any predicate P and higher-order unification can 
be used to find bindings for P. For example consider a function / which is 
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known to be monotone: 

Vm /(m + 1) > /(m) (2.2) 

and we wish to prove 

Vm /(m)>/(0) (2.3) 

To prove this last statement a backward chaining theorem prover might unify 
P(n) from the conclusion of 2.1 with the goal f(m) > /(0) from 2.3. This 
unification leads to the following bindings: 

n i— > m 

P -> (A(n) f(n) > /(0)) 

A backward chaining inference system could then establish the antecedents 
of 2.1 under the above binding for the predicate P. 

The first complete unification procedure for higher-order logic was con- 
structed by Gerard Huet [Huet 75]. Higher-order unification has been used 
effectively in at least two mathematical verification systems, Ketonen's EKL 
system [Ketonen 84] and Andrews' TPS [Miller et al. 82]. In both sys- 
tems the higher-order unification procedure was found to terminate quickly 
in practice. 

The Ontic system is higher-order in the same sense that axiomatic set 
theory is higher-order; functions and predicates can be "reified" as sets and 
thus first order variables can be made to range over functions and predicates. 
In the Ontic system the user can focus on a reified predicate Q and thus cause 
the system to bind variables to the predicate Q. This kind of "higher-order" 
binding is used many times in the mathematical development given in the 
appendix. 

While the Ontic system does allow for higher-order reasoning, the Ontic 
system does not adequately handle mathematical induction. Verifying in- 
duction proofs in the Ontic system results in a large expansion factor; the 
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machine readable proofs are significantly longer than the natural language 
counterpart. 

Higher-order unification provides one technique for reducing the expan- 
sion factor for induction proofs. The EKL system relies on higher order 
unification both in establishing the well formedness of recursive definitions 
and in performing induction arguments to prove properties of recursively 
defined functions. But there seem to be other, perhaps even better, tech- 
niques for reasoning about recursive definitions. The Boyer-Moore theorem 
prover is extremely effective in performing induction arguments but does not 
use higher order unification [Boyer h Moore 79]. Ontic's weakness with re- 
gard to induction arguments and possible ways of making Ontic's induction 
mechanisms more powerful are discussed in section 3.2.2. 



2.3 Inference Mechanisms Unlike Ontic's 



This section surveys some of the general purpose inference mechanisms that 
have been introduced in the past thirty years and compares these mechanisms 
with Ontic's object-oriented inference mechanisms. Only general purpose in- 
ference mechanisms are discussed here; domain specific mechanisms, such as 
Chou's application of Wu's method for geometry theorem, will not be dis- 
cussed [Wu 86] [Chou 84]. I will also not discuss decision procedures for 
particular theories or mechanisms for combining decision procedures [Nel- 
son & Oppen 79] [Shostak 82]. 

This section briefly discusses some particular general purpose inference 
systems. The automath proof verification systems used normalization of the 
typed lambda calculus as an inference mechanism. The Davis-Putnam proce- 
dure was based on a direct enumeration of the Herbrand universe for a set of 
first order sentences. The resolution procedure and its variants improved on 
the Davis-Putnam procedure by introducing unification, thereby allowing a 
large number of ground inferences to be abbreviated with a single resolution 
step. The Boyer-Moore theorem prover finds induction proofs for verifying 
equations concerning recursive programs in pure Lisp. The Boyer-Moore 
theorem prover is based on user-defined (and machine verified) rewrite rules 
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together with heuristics for generalizing induction hypotheses. The Knuth- 
Bendix procedure provides a way of converting a set of unordered equations 
into a set of rewrite rules for canonicalizing expressions. The Knuth-Bendix 
procedure can also be used for proving certain equations about recursive 
programs via an "inductionless" induction technique. Finally, a fair num- 
ber of systems have been constructed which use automated theorem proving 
support to verify natural deduction proofs. 



2.3.1 Automat h 

The typed lambda calculus is closely related to intuitionistic (constructive) 
proof theory. The analogy between typed lambda calculus and intuitionistic 
proof theory is based on viewing types as formulas and viewing a term of type 
r as a proof of r (where r is viewed as a formula). If the formulas encoded 
by types include quantifiers, i.e., if the type system has dependent types, 
then it can be difficult to determine if a term u has type r. More specifically, 
determining if u has type r may involve normalizing (i.e. evaluating) the term 
u. This normalization process can be viewed as inference where fl reductions 
correspond to either the inference rule of modus-ponens or the inference rule 
of universal instantiation. 

The relationship between types and formulas of intuitionistic logic un- 
derlies one of the earlier mathematical verification systems, the Automath 
system [deBruijn 68], [deBruijn 73]. The Automath system has been used 
to verify Landau's Grundlagen, a book on the foundations of the integers, 
rationals, reals, and complex numbers [Jutting 79]. The book includes a very 
rigorous (almost formal) definition of each number system. The rationals are 
defined as equivalences classes of pairs of integers, the reals are defined as 
Dedekind cuts in the rationals, the complex numbers are defined as pairs of 
reals. The book also includes proofs that the basic algebraic operations on 
these numbers are well defined (e.g. addition of rationals, multiplication of 
reals). No significant theorems are proven other than the well-formedness of 
these basic definitions. 

Even though Landau's grundlagen is an extremely rigorous (almost for- 
mal) book, the version of the book readable by the Automath system is about 
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ten times as long as the Grundlagen itself. This indicates that the Automath 
verifier does not use powerful automatic inference mechanisms; there is not 
yet good evidence that normalization of the typed lambda calculus is a useful 
automated inference mechanism. 



2.3.2 The Davis-Putnam Procedure 

The Davis-Putnam procedure [Davis k, Putnam 60] is based directly on Her- 
brand's theorem for the first order predicate calculus. Herbrand's theorem 
implies that if E is an unsatisfiable set of first order formulas in Skolem nor- 
mal form then there exists a finite set T of ground instantiations of E such 
that r is inconsistent. It is possible to write a computer program that decides 
whether a set of ground formulas is consistent. To determine if the original 
set E of first order formulas is satisfiable, one can simply enumerate all finite 
ground instantiations T of E and test each one for consistency. If E is incon- 
sistent then by Herbrand's theorem one will find a ground instantiation T of 
E that is inconsistent. 

The Davis-Putnam procedure is not used today; resolution theorem prov- 
ing is more effective [Robinson 65]. The Davis-Putnam procedure spends 
most of its time deciding the satisfiability of quantifier-free ground formulas. 
Resolution theorem proving is more effective because a large (infinite) num- 
ber of of ground inferences are summarized in a single resolution step. More 
specifically, the formula generated by a resolution step can be viewed as a 
universally quantified lemma which summarizes a large number of ground 
statements [Robinson 65]. Because other proof mechanisms (resolution) are 
more effective than the Davis-Putnam procedure, the Davis-Putnam proce- 
dure will not be discussed further here. 



2.3.3 Resolution and its Variants 

Most research in automated theorem proving in the past twenty years has 
been based in some way on resolution. The basic resolution rule was intro- 
duced by Robinson in 1965 and shown to be refutation complete for first order 
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predicate calculus [Robinson 65]. The resolution principle represented a clear 
advance over the Davis-Putnam procedure because a single resolution step 
abbreviates a large number of the ground inferences. However the number 
of possible ra-step deductions grows exponentially in n and it soon became 
clear that resolution theorem provers could not, in practice, find significant 
theorems by searching this large space of possible deductions. 

The late sixties saw the development of a large number of restrictions on 
the resolution principle. Each such restriction rules out certain resolution 
steps and thus reduces the number of possible n-step deductions. In spite of 
the reduction in the number of possible inferences, various restricted forms 
of resolution are logically complete. A description of various restrictions and 
modifications of the resolution rule can be found in [Loveland 78]. Connection 
graph resolution, a resolution restriction invented by Kowalski, is described 
in [Bibel 81]. 

One perceived difficulty with resolution theorem proving, in addition to 
the large search spaces encountered, is the use of normal forms. Resolution 
f^ requires that first order formulas be put in normal from in three stages. First, 

all quantifiers are moved to the beginning of the formula resulting in a for- 
mula in prenex normal form. Second, existential quantifiers are replaced by 
skolem functions resulting in an equisatisfiable formula in prenex normal form 
with only universal quantifiers. Finally, the matrix of the formula (the part 
after the quantifiers) must be placed in conjunctive normal form resulting 
in a set of universally quantified clauses where each clause is a disjunction 
of literals. Several researchers have developed theorem proving techniques 
which are similar to resolution but which do not require the last normaliza- 
tion step: the matrix of the formula need not be in conjunctive normal form. 
Such "non-clausal" provers are described in [Andrews 81], [Murray 82], and 
[Stickel 82]. These non-clausal procedures are similar to resolution in that 
they use unification to find matches between formulas and matched formulas 
are combined to generate new formulas. The non-clausal procedures are also 
similar to resolution in that existential quantification is eliminated in favor 
of Skolem constants. 

Research in resolution theorem proving and related techniques has focused 
on establishing logical completeness. However, logical completeness may not 
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be important in practice. The Boyer-Moore theorem prover is clearly not 
complete, it often terminates in failure, and yet the Boyer-Moore prover has 
been been used effectively in more applications than has any other theorem 
proving system. 

As a side effect of focusing on completeness, the resolution theorem prov- 
ing community has failed to make any distinction between "obvious" and 
"non-obvious" inferences. The failure to distinguish obvious and non-obvious 
inferences makes it difficult to use resolution theorem provers in interactive 
proof verifiers. Any interactive proof verifier based on resolution must have 
some way of forcing the resolution process to terminate so that a proposed 
proof step can be rejected in a finite amount of time. For example Bledsoe 
built an interactive verifier which simply imposed a time limit on the reso- 
lution process [Bledsoe 71]. A more principled restriction of the resolution 
process has been introduced by Davis [Davis 81] and used in the Mizar sys- 
tem [Trybulec & Blair 85]. However the restriction proposed by Davis forces 
the decision procedure for obvious inferences to determine the satisfiability 
of an arbitrary set of ground clauses. Determining the satisfiability of a set 
of ground clauses is known to be NP-complete. Furthermore, as far as I 
know, there has never been a detailed comparison of natural arguments and 
theorems provable under Davis' suggestion. 



2.3.4 Rewriting Mechanisms 

Automated inference systems often have a hard time dealing with equality 
and equational axioms. Directed rewrite systems provide one approach to 
reasoning about equality. The process of rewriting expressions is also known 
as simplification, symbolic evaluation or demodulation. Rewrite systems iter- 
atively simplify a given expression until it is in canonical form. A statement 
can be proved by rewriting it to the constant true. 

Some of the most effective theorem proving systems are based on rewrite 
mechanisms. Most notably, the Boyer-Moore theorem prover uses a sim- 
plification mechanism guided by user denned (but machine verified) rewrite 
rules [Boyer & Moore 79]. The Boyer-Moore theorem prover has been used to 
verify a wide variety of theorems from number theory, recursive function the- 
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ory, formal logic and software and hardware verification [Boyer &: Moore 84] , 
[Shankar 85], [Russinoff 85], [Boyer & Moore 86]. The real power of the Boyer- 
Moore prover comes from its ability to perform induction proofs. However 
the simplification (rewrite) mechanism is central to the system. 

The Boyer-Moore prover is primarily used to prove equations between 
terms defined in pure Lisp. Once an equation has been proven it is treated 
as a rewrite rule to be used in future proofs. The direction of each newly 
proven rewrite rule is provided by the human user, e.g. when the system 
proves an equation s — t the human user specifies whether this equation 
should be treated as s — ► t, which rewrites s to t, or as t — > s, which rewrites 
t to s. 

Ketonen's EKL system is another example of a verification system based 
on user defined rewrite rules [Ketonen 84]. As in the Boyer-Moore prover, 
the direction of EKL rewrite rules are specified by the human user. Unlike 
the Boyer-Moore prover however, the EKL system uses Huet's higher order 
unification procedure to perform induction proofs. The EKL system lacks 
if"^ the facility for generalizing induction hypotheses used in the Boyer-Moore 

prover. 

Knuth and Bendix developed a powerful method for constructing decision 
procedures for certain equational theories [Knuth & Bendix 69]. Unlike the 
Boyer-Moore prover and the EKL system, the Knuth-Bendix procedure can 
be used to automatically convert undirected equations to directed rewrite 
rules. More specifically, equations can be ordered via a general (but user 
specified) order y on terms. If s y t then the equation s = t becomes the 
rule s — + t; if t y s then the equation s = t becomes t — > s. The partial order 
>- used in the Knuth-Bendix procedure must be well founded, respect term 
structure, and obey substitutions (see [Knuth & Bendix 69] for details). 

After ordering equations into rewrite rules, the Knuth-Bendix procedure 
can also be used to automatically construct additional "derived" rewrite 
rules. More specifically, given a set of unordered equations, and an acceptable 
partial order >- on terms, the Knuth-Bendix procedure both converts equa- 
tions to rewrite rules and constructs additional rewrite rules whose validity 
follows from the original equations. The set of rewrite rules that results from 
applying the Knuth-Bendix procedure to a set of S is often much larger than 
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E. If the Knuth-Bendix procedure terminates with success it generates a set 
of rewrite rules that completely canonicalize expressions relative to the given 
equations; by canonicalizing expressions one can determine if two terms can 
be proven equal from the original set of equations. Unfortunately, however, 
the Knuth-Bendix procedure does not always succeed; it can either terminate 
in failure or fail to terminate. 

The Knuth-Bendix procedure has been used extensively in system which 
manipulate equational specifications of computer programs and equational 
programming languages [Kapur et al. 86] [Lescanne 86] [Huet 86]. These 
systems are based on an equational view of programming in which computer 
data structures are viewed as terms constructed from atomic symbols (Lisp 
atoms) and "data constructor functions" such as the Lisp function CONS. Re- 
cursive functions can be defined via equations involving the defined function 
symbols [Guttag k Horning 78] [O'Donnell 85]. 

The Knuth-Bendix procedure can also be used to generate "induction 

arguments" of the type performed by the Boyer- Moore theorem prover [Huet 

f"*^ h Hullot 83]. More specifically, consider the closed (variable free) terms 

which can be constructed from a set of "atoms" (constructor functions of no 
arguments), constructor functions (functions such as CONS which construct 
data objects), and defined functions. A "data object" is a term with no 
defined functions. Let E be a set of equations which defines the defined 
function symbols as operations on the data objects, i.e. no two data objects 
can be proven equal from E and every closed term involving defined functions 
can be proven (under E) to be equal to some data object. Now suppose we 
wish to prove some equation s = t where s and t are distinct terms involving 
defined functions and free variables. For example the equation s = t might 
state the associativity of the APPEND function on lists. The equation s = t 
holds in the data object universe just in case there is no counter example, 
i.e. no ground variable substitution a such that a(s) denotes a different 
data object from a(t). If there exists a counter example to the equation 
s = t then adding this equation to E would allow one to prove an equation 
between two distinct data objects. The Knuth-Bendix procedure can be used 
(in some cases) to convert E U {s = t} to a complete set of rewrite rules. 
By examining this set of rewrite rules it is possible to determine whether 
E U {s = t} allows one to prove an equation between distinct data objects. If 
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such equation is provable then the equation s = t has a counter example. If 
no such equation between distinct data objects is provable from E U {s = t} 
then the equation s = t has no counter examples and must be true in the 
data object universe. In general it may be possible to show that s = t has 
counter examples at an intermediate point in the Knuth-Bendix procedure; 
thus a complete set of rewrite rules for S U {s = t} may not be required. 

One problem with the Knuth-Bendix procedure however is the need for 
a single partial order on all expressions. There may be domain specific intu- 
itions about how terms should be rewritten and it is difficult to incorporate 
such knowledge into a single uniform term ordering. While some sophisti- 
cated partial orders have been developed [Dershowitz 79], it is not yet clear 
whether a uniform term ordering can be used for the large verifications that 
have been done with the Boyer-Moore prover. 

Like unification research, research on term rewriting systems using the 
Knuth-Bendix mechanism has centered on the notion of logical completeness. 
There are many equational theories S with an undecidable set of logical 
** consequences (an undecidable word problem) and in this case the Knuth- 

Bendix procedure either terminates in failure or fails to terminate. In systems 
based on the Knuth-Bendix procedure it is not clear what to do when the 
procedure fails. Even if a complete set of reductions is found, the time 
required to perform the rewriting may be prohibitively large. The rigid 
framework of the Knuth-Bendix procedure may make it difficult to perform 
the large verifications that have been done with the Boyer-Moore prover; it is 
not clear that a Knuth-Bendix based system could verify the RSA encryption 
algorithm or the undecidability of the halting problem as has been done with 
the Boyer-Moore system [Boyer k Moore 84] [Boyer & Moore 86]. 

Rewrite systems are designed to handle equational theories. The Ontic 
system handles equality with its congruence closure mechanism; rewrite rules 
are not used. The congruence closure mechanism can be quite powerful in 
practice. Figure 2.1 gives an example of an inference done using Ontic's 
congruence closure mechanism. Consider a distributive lattice with a least 
member and a greatest member 1 (a lattice with a least and greatest mem- 
ber is called bounded). If x and y are members of the lattice L then we say 
that x and y are complements if the meet of x and y is and the join of 
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(IN-CONTEXT ((LET-BE L (AND-TYPE DISTRIBUTIVE-LATTICE 

BOUNDED-LATTICE) ) 
(LET-BE X (IN-U-SET L)) 
(PUSH-GOAL 

(AT-MOST-ONE (COMPLEMENT-OF X L)))) 

(IN-CONTEXT ((SUPPOSE (EXISTS (COMPLEMENT-OF XL))) 
(LET-BE Yl (COMPLEMENT-OF X L)) 
(LET-BE Y2 (COMPLEMENT-OF XL))) 
(NOTE-GOAL)) 

(NOTE-GOAL)) 

Ontic "sees" this theorem using its congruence closure mechanism as follows: 

2/i = 2/i A 1 A previously established fact. 

= j/i A (?/2 V x) Because y 2 is & complement of x. 

— (yi A 2/2) V (1/1 A x) By definition of a distributive lattice. 

= (2/1 A t/2) V Because y x is a complement of x. 

= (2/1 A J/2) V (2/2 A #) Because y 2 is a complement of x. 

= (2/2 A j/i) V (2/2 A cc) Because A is commutative. 

= 2/2 A (?/i V a;) By definition of a distributive lattice. 

= 2/2 A 1 Because j/j is a complement of x. 

= 2/2 Because 2/2 = 2/2 A 1 

Figure 2.1: A statement that is obvious to Ontic but not obvious to people 
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x and y is 1. It was obvious to the Ontic interpreter that in any bounded 
distributive lattice a given member x has at most one complement. Ontic's 
proof of this fact, also shown in figure 2.1, uses congruence closure. 

Figure 2.1 shows that congruence closure is a powerful technique for rea- 
soning about equality. Because Ontic handles equality with congruence clo- 
sure rather than rewrite rules, there is no need for the user to specify rewrite 
directions for equations; the Ontic system can handle undirected declarative 
equations. The value of declarative as opposed to procedural representations 
is discussed in more detail in section 2.4.2. 



2.3.5 Natural Deduction Systems 

Natural deduction systems are based on "natural" rules of inference. A given 
rule says that a goal G of a certain form can be proven by reducing the goal 
G to the subgoals G\,Gi . . . G n . Different rules provide different ways of 
f*S achieving a goal where the success of any one rule is sufficient. The earli- 

est natural deduction system was Newell, Shaw and Simon's Logic Theorist 
[Newell, Shaw & Simon 57]. This system used natural deduction rules and 
backward chaining to prove theorems in Whitehead and Russell's Principia 
Mathematica. Soon after the construction of the Logic Theorist, Gelernter 
constructed his program for finding proofs in Euclidean geometry [Gelern- 
ter 59]. Gelernter 's system also used backward chaining and natural deduc- 
tion rules but the subgoals were pruned by the use of a diagram, i.e. a model 
of the assumptions in the proof. If a subgoal was false in the diagram then 
the system could infer that the subgoal could not be achieved and thus should 
be abandoned. 

During the sixties research in automatic theorem proving focused pri- 
marily on resolution theorem proving. However, during the early seventies 
frustration with resolution systems lead to a renewed interest in natural de- 
duction systems [Bledsoe 77]. Natural deduction systems from the seventies 
include [Bledsoe 71], [Nevins 72], [Bledsoe et al. 72], [Reiter 73], [Ernst 73], 
[Goldstien 73], [Bledsoe & Bruell 73], and [deKleer et al. 77]. These later 
natural deduction systems often used resolution as a subroutine for prov- 
ing subgoals. A time limit was imposed on resolution proofs to force the 
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resolution theorem prover to terminate quickly [Bledsoe 71]. 

One of the major problems with using resolution as a test for "obvious" 
subgoals was the tendency of resolution to get lost when it was given too many 
initial facts. In other words resolution was not able to automatically find the 
relevant facts in a large lemma library. As Bledsoe says in [Bledsoe 71]: 

One of the more serious [problems is referencing]. The com- 
puter should be able to bring to bear "all it knows" (all definition 
axioms and previously proven theorems) . . . But if one attempts 
a resolution proof on a large number of formulas, the result is the 
production of a glut of irrelevant clauses and sure failure, even 
when the best known search strategies are used. Thus the crucial 
part of a resolution proof is the selection of the reference theo- 
rems by the human user; the human, by this one action, usually 
employs more skill than that used by the computer in the proof. 

It is useful to remember that this was written in 1971, well after most of 
the refinements to resolution had been developed. These comments about 
the ineffectiveness of resolution on large lemma libraries are probably as true 
today as they were in 1971. The Ontic interpreter on the other hand seems 
to handle large lemma libraries without difficulty. It would be interesting to 
reconstruct these old natural deduction systems using the Ontic interpreter 
rather than resolution to test for obvious subgoals. 

The Seventies also saw a development of basic natural deduction proof 
checking systems that did not provide much automated reasoning support. 
For example McDonald and Suppes developed an interactive proof checking 
system for teaching an introductory logic course [McDonald & Suppes 84]. 
Richard Weyhrauch also developed the FOL system for checking first order 
logic proofs [Weyhrauch 77]. 

While the FOL system does not provide sophisticated general purpose 
theorem proving, it does provide a uniform mechanism for associating any 
given predicate or function symbol with a computer program for computing 
the value of the predicate or function on "semantic" arguments. It seems clear 
that mathematical verification systems could benefit from the addition of 



/~\ 



2.3. INFERENCE MECHANISMS UNLIKE ONTIC'S 69 

computational oracles. Along with procedures for basic arithmetic (addition 
multiplication etc.) one can imagine incorporating procedures for symbolic 
integration, series summation, or polynomial manipulation. No attempt has 
been made to incorporate such features into the Ontic system. 

Procedural attachment is part of a general focus on "metatheory" within 
the FOL system [Weyhrauch 80]. While procedural attachment has clear 
potential value, I think the emphasis on metatheory is misplaced. There 
seems to be a fundamental unity in all mathematics; there is no fundamental 
distinction between "metamathematics", number theory, graph theory, fi- 
nite combinatorics, or real analysis. A system which reason about numbers, 
graphs, and ordered sets can just as easily reason about formulas, models, 
and Tarskian truth functions. 

During the late seventies and into the eighties there has been an empha- 
sis on "programmable" natural deduction systems. These systems provide a 
mechanism for adding user defined inference rules. The first programmable 
natural deduction system was Edinburgh LCF [Gordon, Milner & Wadsworth 
f\ 79] . A more recent programmable natural deduction system is the Nuprl sys- 

tem developed by Bates and Constable [Constable et al. 86] [Howe 86]. The 
Nuprl system grew out of research in interactive verifications systems [Con- 
stable et al. 82] and their use in teaching formal logic and formal approaches 
to program verification. The Nuprl system is based on constructive type 
theory and places particular emphasis on finding constructive proofs. The 
system provides a facility for converting a constructive proof that a certain 
number exists into a program for computing that number. 

Backward chaining natural deduction systems use rules of inference to 
convert a given goal to a set of subgoals. In the Nuprl system the user 
can define new inference rules, or "tactics", for converting a goal to a set of 
subgoals. When a tactic replaces a goal G by a set of subgoals Gi, G2, ... 
G n the tactic must construct a proof showing that the replacement is sound, 
i.e. that the subgoals G\, G2, ■ ■ ■ G n imply the goal G. One could write a 
tactic for showing that any given set 5" is a subset of U by supposing that 
S is non-empty and then considering an arbitrary member of S. One could 
then use this tactic as a subroutine and write another tactic for showing that 
two sets are equal by showing that each is a subset of the other. In the 
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Ontic system one has to repeat this style of argument every time one wants 
to prove set equality. It seems likely that tactics could be used in the Ontic 
system to reduce the length of machine readable proofs. On the other hand 
it seems likely that Ontic's object oriented inference mechanisms could be 
used to reduce the length of proofs in the Nuprl system. 



2.4 Issues in Automated Reasoning 

There are several general issues involved in the construction of proof verifi- 
cation systems. First, in designing a verification system one should consider 
the expressive power of the formal language involved. Does the language 
allow one to express a wide variety of formal concepts and arguments? Sec- 
ond, one should consider the extent to which the knowledge base contains 
procedural as opposed to declarative information. Procedural information 
may help make the system run more effectively but procedural information 
'i is harder to construct and a reliance on procedural information makes au- 

tomatic discovery of useful information more difficult. Third, one should 
consider whether the system should rely on backward or forward chaining. 
It is not clear whether forward chaining has any intrinsic advantage over 
backward chaining or vice versa. In both cases the basic problem is to con- 
trol the generation of facts or subgoals. Simplification seems to be effective 
as a guiding principle in backward chaining while focus seems to be effective 
as a guiding principle in forward chaining. 



2.4.1 Expressive Power 

Some very restricted formal languages have tractable inference problems: 
there exists a tractable procedure for determining the validity of any state- 
ment expressible in the language. Thus there seems to be a trade off between 
expressive power and computational tractability in knowledge representation 
languages [Levesque k Brachman 85]. However this "trade off" is mislead- 
ing. In order to design a language with a tractable inference problem one 
must design a language in which hard questions can not be asked. But this 
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does not produce the result one really wants; rather than making it easier 
to answer hard questions, limiting the expressive power of a language simply 
makes it impossible to ask hard questions. On the other hand, increasing 
the expressive power of the reasoning language can make it easier to reason 
about hard questions. 

Natural mathematics (mathematics done in natural language) seems to 
have a notion of "well typed" expressions. For example consider the well 
typed phrase 

"the value of the map / on the point x" 
as opposed to the "garbled" phrase 

"the value of topological space X on the point x n 

f*^\ The notion of a well typed natural phrase seems to correspond to the notion 

of a well typed formal expression. Mathematicians talk about groups, rings, 
fields, topological spaces, differentiable manifolds, groups homomorphisms, 
differentiable maps and much more. It seems that in natural mathematics 
any definable set (or class) can be used as a type in determining the set of 
well typed phrases. Most strongly typed formal systems, however, do not 
allow arbitrary predicates to be used as types. 

In designing a type system there appears to be a trade off between ex- 
pressive power and computational tractability. One can ensure computa- 
tional tractability by restricting the type system so that only certain simple 
predicates can be used as types. Restricted type systems can not express nat- 
ural types such as "prime number", "symmetric matrix", or "transitive re- 
duced graph" . While the inability to express such types makes type-checking 
tractable, it prevents the type-checking process from even attempting to ver- 
ify certain semantic properties of programs. It seems likely that one could 
construct a quickly terminating type-checking procedure which could verify 
all simple types and could also verify some more difficult "semantic" types. 
Restrictions on the vocabulary of types does not make it easier to answer 
hard questions, it only makes hard questions impossible to ask. 
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2.4.2 Declarative Representations 

Many automated inference systems require every declarative fact to be aug- 
mented with procedural information: information about how the declarative 
fact is to be used in the inference process. Purely declarative facts, facts not 
augmented with procedural instructions, have the advantage that they are 
easier to generate — it seems easier for people to write down a set of purely 
declarative facts than to write down both the declarative facts and additional 
information about how those facts are to be used. The ease of generating 
purely declarative facts may be particularly important in discovery systems 
— systems which automatically generate new lemmas. The task of discover- 
ing and using new facts is easier if one does not have to specify procedural 
information each time a new fact is discovered. 

Unfortunately, purely declarative facts have the disadvantage that they 

are more difficult to compute with. Ketonen has discussed the difficulty of 

constructing effective theorem provers that use purely declarative informa- 

/"■^ tion [Ketonen 84] . In supporting the use of procedural information Ketonen 

considers the following formula: 

P(x) =>A = B 

He argues that there is no single way to use this formula and lists the following 
possible procedural interpretations: 

1. Replace P(x) =£■ A = B by true whenever it appears. 

2. Replace A — B by true if one can prove P(x) in the current situation. 

3. Replace P(x) by false if one can prove A ^ B. 

4. Replace A by B whenever one can prove P(x). 

5. Replace B by A whenever one can prove P(x). 

6. Replace A by B whenever one can prove P(x) but not in terms resulting 
from this substitution. 
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Ketonen argues that one must choose between the above procedural inter- 
pretations. Interpretations (4) and (5) seem opposite in intent. Furthermore 
formulas involving quantifiers would have an even greater number of different 
interpretations. Ketonen concludes that the user must specify how formulas 
are to be used. 

It seems that Ketonen's difficulty with purely declarative representation 
comes from his commitment to rewrite systems. Ontic's inference mechanism 
effectively uses interpretations (1) through (5) simultaneously. Replacing a 
formula $ by true in a rewrite system is analogous to putting the label true 
on the node for $ in the Ontic's marker propagation mechanism. In the On- 
tic system Boolean constraint propagation handles the procedural interpre- 
tations (1) through (3) above. In the Ontic system equalities between nodes 
are represented by giving those nodes the same color label. This representa- 
tion of equality together with the congruence closure mechanism effectively 
handles both procedural interpretations (4) and (5). The 6th procedural in- 
terpretation seems a little strange and is not handled in the Ontic system — 
congruence closure effectively performs all substitutions. 

One of the primary features of the Knuth-Bendix procedure is that equa- 
tions are automatically converted to rewrite rules using a single partial order 
that is defined for all terms. Thus, once the partial order has been defined, 
purely declarative equations are automatically given procedural interpreta- 
tions. However the Knuth-Bendix procedure is not guaranteed to succeed: it 
may terminate without producing a complete set of rewrite rules or it may 
run forever in attempting to generate such a set. Furthermore, because the 
Knuth-Bendix procedure produces rewrite rules, it must choose either proce- 
dural interpretation (4) or interpretation (5) — the Ontic system effectively 
does both simultaneously. The effectiveness of the Knuth-Bendix procedure 
in large verification applications has not yet been established. 

Further experimentation is needed to see if systems which use purely 
declarative information, such as Ontic, can be made as effective as systems 
which are based on rewrite rules, such as the Boyer-Moore theorem prover. 
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2.4.3 Forward Chaining 

Forward chaining systems start with a set of premises and derive conclusions 
from those premises. Backward chaining systems start with a goal and reduce 
that goal to subgoals. It is not clear whether forward chaining has any 
intrinsic advantage over backward chaining or vice versa. In both cases the 
basic problem is to control the generation of facts or subgoals. Both forward 
chaining and backward chaining systems can become swamped in a sea of 
derived facts or derived subgoals. Certain sources of guidance seem to work 
for backward chaining and other sources of guidance seem to work for forward 
chaining. 

Simplicity seems to work as a guiding principle in backward chaining. 
Rewrite systems are backward chaining because they start with the expres- 
sion to be proved and rewrite that expression in an attempt to show it equiv- 
alent to the constant true. Rewrite systems are guided by some notion of 
simplicity: a goal expression is always replaced by a simpler goal. The notion 
s**^ of simplicity is either implicit in the user specified rewrite rules, as in the 

Boyer-Moore prover, or explicitly defined as an ordering on expressions, as in 
Knuth-Bendix based systems. In both cases however a notion of simplicity 
guides the generation of subgoals. 

Focus seems to work as a guiding principle in forward chaining. Ontic's 
object oriented inference mechanisms are guided by the restriction that de- 
rived facts must be about the focus objects. A similar restriction is used 
in other forward chaining systems such as Nevins' geometry theorem prover 
[Nevins 74], constraint systems such as Waltz labeling [Waltz 75], and con- 
straint languages such as that described by Sussman and Steele [Sussman & 
Steele 80]. 

It should be possible to integrate both backward and forward chaining in 
a single system. In such a system simplification should be used as a guiding 
principle in backward chaining and focus should be used as a guiding principle 
in forward chaining. 
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Chapter 3 

Ontic as a Cognitive Model 



One can attempt to evaluate Ontic as a model of human mathematical cog- 
nition by comparing the formal "proofs" that are acceptable to the Ontic 
system with the natural language proofs that are acceptable to people. There 
are some clear differences between Ontic proofs and natural arguments. In 
certain cases the Ontic system can verify proof steps that are not obvious 
to people; we say that Ontic exhibits superhuman performance. In other 
cases there are statements which are obvious to people but which require 
multi-step proofs in the Ontic system; we say that Ontic exhibits subhuman 
performance. The superhuman performance and much of the subhuman per- 
formance can be attributed to specific computational aspects of the Ontic 
system. 

Ontic's congruence closure mechanism provides a clear example of su- 
perhuman performance. The Ontic system can use its congruence closure 
mechanism to "see" that in a distributive lattice complements are unique. 
This fact is not obvious to people. The appendix contains several examples of 
superhuman performance based on congruence closure. All of the examples 
involve lattice theoretic identities. One example is the proof of de Morgan's 
laws from the the algebraic axioms for a Boolean lattice. 

After giving examples of superhuman inference based on congruence clo- 
sure, a very fast computationally limited architecture is proposed for mas- 
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sively parallel computation. Boolean constraint propagation can be easily 
implemented in this massively parallel architecture but congruence closure 
can not. Substitution constraints are then proposed as an alternative to con- 
gruence closure. Substitution constraints perform many of the substitution 
inferences normally done by congruence closure. Furthermore, substitution 
constraints can be handled by Boolean constraint propagation and thus can 
be implemented on the proposed massively parallel architecture. However, 
substitution constraints do not generate the given examples of superhuman 
performance. 

Of course the Ontic system also exhibits subhuman performance. Some 
cases of subhuman Ontic performance can be traced to weaknesses in the 
lemma library. Several proofs could be shortened by adding lemmas which 
introduce the principle of duality for Boolean lattices and the algebraic "def- 
inition" of a lattice. A more significant set of examples of subhuman Ontic 
performance involve mathematical induction. Although the Ontic system 
can be used to verify induction arguments, the expansion factor is large. In 
natural mathematics induction arguments are often unstated and unnoticed 
even though people understand the arguments and agree to their validity. 
For example consider a graph where the nodes of the graph are colored such 
that any two nodes with an arc between them have the same color. Clearly 
if nodes n and m have different colors then there is no path between them in 
the graph. To verify this clear and obvious fact with the Ontic system would 
require an induction on the length of paths. There are many other examples 
from both mathematics and common sense where induction arguments seem 
to be carried out at a subconscious level. 

Future experimentation will certainly turn up additional ways in which 
the Ontic system exhibits subhuman performance; hopefully examples of sub- 
human performance will lead to the discovery of additional inference mech- 
anisms that bring the system closer to human ability in verifying natural 
arguments. 
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3.1 Superhuman Performance 

Congruence closure accounts for all the examples of superhuman performance 
of the Ontic system. The mathematical development given in the appendix 
contains six examples of superhuman performance based on congruence clo- 
sure. All of these examples involve reasoning about lattice identities. 

3.1.1 Examples of Superhuman Performance 

The first example of superhuman Ontic performance is the proof that in 
a distributive lattice complements are unique. This example is given in chap- 
ter 2 and is discussed in more detail below. The second example is the proof 
of de Morgan's laws for complemented distributive lattices. De Morgan's 
laws are straightforward if one assumes that Boolean operations have their 
standard meaning as operators on sets, or equivalently, if Boolean operations 
(<■% have their standard meaning as operations on truth functions. However, un- 

til one has proven the Stone representation theorem one must consider the 
possibility that there exist pathological complemented distributive lattices in 
which the Boolean operations can not be viewed as operations on sets or as 
truth functions. The Ontic proof of de Morgan's laws and an analysis of that 
proof are shown in figure 3.1. Given several previously established simple 
identities for Boolean lattices the Ontic system immediately "sees" that de 
Morgan's laws are true in an arbitrary complemented distributive lattice. 

The mathematical development in the appendix also contains a proof that 
for any elements x and y of a complemented distributive lattice the following 
are equivalent: 

1. x < y 

2. y* < x* 

3. x A y* = 

4. x* V y = 1 
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An Ontic Proof: 

(IN-CONTEXT ( (LET-BE B BOOLEAN-LATTICE) 
(LET-BE X (IN-U-SET B)) 
(LET-BE Y (IN-U-SET B)) 
(LET-BE CX (COMPLEMENT X B)) 
(LET-BE CY (COMPLEMENT Y B)) 
(LET-BE M (MEET X Y B)) 
(LET-BE J (JOIN CX CY B))) 
(NOTE (IS J (COMPLEMENT-OF M B)))) 

A Corresponding Natural Argument: 

Let x* and y* be the complements of x and y respectively. Let 
ra be the meet of x and y and let j be the join of x* and y*. We 
must show that m and j are compliments, i.e. that m A j = 
/fs^ and mVj = l. This can be done as follows: 

m A (x* V y*) = (m A x*) V (m A y*) By distributivity of A over V. 

= ((x A x*) A y) V ((y A y*) A a;) By assoc. and comm. of A. 

= (0 A y) V (0 A x) By definition of complement. 

= By algebraic properties of 0. 

(x A y) V j ={xV j) A (y V j) By distributivity of V over A. 

= (y* V (a:* V x)) A (ar* V (y* V y)) By assoc. and comm. of V. 

= (y* V 1) V (x* V 1) By definition of complement. 

= 1 By algebraic properties of 1. 



Figure 3.1: An example of superhuman Ontic performance. 
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The Ontic proof of the equivalence of the above facts is done by showing 
that 1) =>• 2) =>• 3) => 4) =£- 1). This is done in a context where the unique- 
ness of complements and de Morgan's laws have already been established. 
For each implication there is a set of four focus objects which makes the im- 
plication obvious to the Ontic system. The proof of each implication shows 
superhuman performance involving congruence closure. 



3.1.2 A Very Fast Parallel Architecture 

This section proposes an architecture for massively parallel computation and 
argues that, unlike Boolean constraint propagation, congruence closure is 
difficult to implement on this architecture. * People make truth judgments 
about obvious statements in about a second. Although the computation 
performed by neurons is not well understood, it is clear that neurons run very 
slowly. It seems likely that neurons would require one to ten milliseconds to 
compute the logical and of two Boolean signals. If people are computing 
^""N truth judgments with Boolean circuitry, and if the gate delay for neuronal 

hardware is on the order of one to ten milliseconds, then people make truth 
judgments about obvious statements in 100 to 1000 gate delays. Computing 
complex truth judgments in only 100 to 1000 gate delays requires massive 
parallelism. 

Consider a finite state machine where the state of the machine at time i 
is given by an n-bit bit vector A- The state transition table of the machine 
can be given by a Boolean circuit $ of n inputs and n outputs where the 
state transitions of the machine are governed by the equation 

A+i = $(A) 

To make the finite state machine run quickly the Boolean circuit $ should 
have low depth, say ten gates. If $ has depth ten then a state transition can 



x It is easy to show that Boolean constraint propagation is polynomial time complete 
and thus "unparallelizable" ; the worst case running time on a parallel machine is linear in 
the size of the graph. In many cases however, a parallel implementation would run much 
faster than a serial implementation; a parallel implementation runs in time proportional to 
the longest single inference chain while a serial implementation runs in time proportional 
to the total number of inferences. 
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be computed in ten gate delays. However, the bit vector defining the state 
of the machine can be very large: millions or tens of millions of bits, and the 
circuit <fr can involve millions or tens of millions of gates. 

It seems possible to compile an Ontic graph structure into a Boolean 
circuit governing a finite state machine. More specificly, a labeling of an Ontic 
graph could be encoded in the state bit vector of the machine. The basic 
inference operations on graph labels could be incorporated into a Boolean 
circuit <fr governing state transitions. Two bits are needed for each formula 
node to represent the three possible labeling states of the node: true, false and 
unknown. Boolean constraints on formula nodes could be compiled directly 
in the structure of the Boolean circuit $. Every node in an Ontic graph is 
also associated with a color label. The color label for a given node in the 
graph could be represented with a set of bits in the machine's state vector. 
The Boolean circuit governing state transitions could be designed in such 
a way that if an equation node became true then the color labels of the 
equated nodes at time i + 1 would each be set to the maximum of the two 
labels at time i. In this way the color labels could be made to respect the 
truth of equality formulas. With the exception of congruence closure, all of 
the inference techniques used in the Ontic system seem to be amenable to a 
massively parallel implementation in a low-depth Boolean circuit governing 
a finite state machine. 

The implementation of congruence closure described in chapter 5 uses a 
hash table to map color tuples to colors. In order to implement a hash table 
one needs to be able to compute memory addresses for a random access 
memory. I don't see any way of implementing parallel access to a large hash 
table in a low depth Boolean circuit governing a large finite state machine. 

Congruence closure can be replaced with substitution constraints as de- 
scribed in the next section. Substitution constraints are Boolean constraints 
involving equality formulas; such constraints can be compiled directly into a 
low-depth Boolean circuit governing a finite state machine. 
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3.1.3 Substitution Constraints 

Substitution constraints provide an alternative to congruence closure for rea- 
soning about equality. Substitution constraints rely on Boolean constraint 
propagation's ability to handle certain equality inferences. Boolean con- 
straint propagation ensures a simple relationship between the truth of equal- 
ity formulas and the color labels encoding equivalence. Boolean constraint 
propagation, however, does not automatically handle the substitution of 
equals for equals; in the Ontic system substitution is handled by congruence 
closure. On the other hand, Boolean constraint propagation can be made to 
handle substitution by adding certain Boolean constraints called substitution 
constraints. Boolean constraint propagation with substitution constraints is 
weaker than congruence closure in that it generates fewer obvious truths in 
a given context. 

As a simple example of a substitution constraint consider a term /(c) 

which consists of an operator / applied to a specific argument c. We can 

i #-», s assume that the operator / is defined on objects of a certain type r and that 

c is an instance of r. Suppose that g is a generic individual of type r. To 

ensure that inheritance works properly one can add the Boolean constraint 

9 = c =► f(g) = f(c) 

Now if the system ever generates a binding g t-> c then g and c will get 
the same color label and Boolean constraint propagation will ensure that 
the equation g = c gets labeled true and thus, by the above substitution 
constraint, the equation f(g) = /(c) will be labeled true. Independent of 
congruence closure, if f(g) has the same color label as /(c) then certain facts 
about f(g) can be inherited by /(c). For example if f(g) is known to be 
an instance of a type a then /(c) will also be known to be an instance of 
the type cr. Thus the above Boolean constraint allows the binding g i-> c to 
cause c to inherit facts that are stated in terms of g. 

Substitution constraints can be used to perform inferences based on the 
substitution of equals for equals. Suppose that c is known to be equal to 
b and consider the terms /(c) and /(&). Furthermore assume the graph 
structure underlying Boolean constraint propagation includes the following 
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substitution constraints 

9 = c =► f(g) = f(c) 

g = b ^ f(g) = f(b) 

Now suppose that the system focuses on c and generates the binding g h-> c. 
Since c and b are known to be equal, the nodes for g, c, and b will all get the 
same color label. Thus the equations g — c and g = b will become true. Thus 
both the equations f(g) = /(c) and f(g) = f(b) will become true and the 
nodes for f(g), f(c) and f(b) will all get the same color label. Thus focusing 
on c causes the system to deduce that /(c) equals f(b). This scheme for 
handling substitution of equals for equals via substitution constraints can be 
suitably generalized to handle operators of more than one argument. 

Unlike congruence closure, substitution constraints combined with fo- 
cused binding and Boolean constraint propagation will only substitute equals 
for equals when the expressions being substituted for are focus objects. All 
of the examples of superhuman Ontic performance involve substitutions of 
non-focused expressions. 

3.1.4 Superhuman Performance Re- Examined 

It is important to note that the scheme for equality inference based substitu- 
tion constraints is not as powerful as the full congruence closure mechanism. 
More specifically, using substitution constraints the substitution of equals for 
equals can only be done when the substituted expressions are equal to some 
focus object. All of the examples of superhuman performance discussed above 
involve substitution for non-focused objects. For example consider the proof 
shown in chapter 2 that in a distributive lattice complements are unique. 
The uniqueness of complements is obvious to the Ontic system. 

Figure 2.1 in chapter 2 shows the Ontic "proof" that complements are 
unique together with an expanded derivation showing how the Ontic system 
proved that if yi and y^ are both complements of x then y\ must equal y<i- 
The second line in the expanded derivation is derived by replacing 1 with 
(?/2 V x) even though neither 1 nor (t/ 2 V a;) is a focus object. If congruence 
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inference required focusing on the substituted expression then the second line 
could only be derived by focusing on 2/2 V x. Similarly, line four is derived by 
substituting for yi A x even though ?/i A x is not a focus object. Lines five 
and seven also involve substitution for non-focused expressions. 

Even the weaker scheme based on substitution constraints could prove 
that complements are unique in a single inference step if the system focused 
on x, j/i, 2/2, J/2 V x, yi A x, y 2 A x and y 2 V x all at the same time. However, 
it seems that people have a hard time focusing on seven objects simultane- 
ously. The ability of the Ontic system to focus on a large number of objects 
simultaneously is perhaps another source of superhuman performance. 



3.2 Subhuman Performance 

Some proofs in the appendix exhibit subhuman performance which can be 
attributed, at least in part, to weaknesses in the lemma library. Other ex- 
amples, not given in the appendix, indicate weaknesses in the fundamental 
inference architecture. It is hoped that examples of subhuman performance 
lead to new inference techniques which increase the usefulness of verification 
systems. 



3.2.1 Weaknesses in the Lemma Library 

The lemma library developed in the appendix does not include a duality 
principle for Lattices. Given an appropriate duality principle the proof of 
any identity in lattice theory would lead immediately to a proof of the dual 
identity. For example consider de Morgan's laws. A first de Morgan law can 
be phrased as follows. 

(aVy)' = x* Ay* 

A second de Morgan's law can be derived from the first via a duality principle 
for Boolean lattices: the result of switching V and A (and 1 and 0) in any 
Boolean lattice identity leads to another Boolean lattice identity. Given the 
duality principle for Boolean lattices the validity of the above de Morgan law 
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leads immediately to the validity of the dual law: 

(x Ay)* =x* V y* 

One could incorporate the duality principle into the Ontic system by defining 
the dual of a lattice. Given any lattice (or any partial order) the dual of the 
lattice is defined to be that lattice which has the same elements but in which 
the partial order has been reversed. Using the Ontic system one could easily 
define a function which mapped any lattice to its dual lattice. Furthermore 
one could prove that if V is the dual of a Boolean lattice L then V is a 
Boolean lattice such that the meet operation in V equals the join operation 
in L, the join operation in V equals the meet operation of L, and V has 
the same complement operation as L. Given a Boolean lattice identity / one 
could then prove that the dual identity /' must hold in an arbitrary Boolean 
lattice L by considering the dual lattice L' and noting that /' holds in L just 
in case the lattice identity / holds in the dual L' . 

Another example where standard notions could be added to the lemma 
f^ library to reduce the length of proofs involves the algebraic characterization 

of a lattice. It turns out that the partial order of a lattice is determined by 
the meet and join operations and in fact one can define a Boolean lattice 
to be a set together with meet, join and complement operations that satisfy 
certain equational axioms. This algebraic view of a lattice is described in 
textbooks on lattice theory and could be added to Ontic's lemma library. 
The algebraic view of a lattice would allow a shorter machine readable proof 
of one of the lemmas given in the appendix. More specifically, the algebraic 
view of a lattice provides a short proof that if S is a subset of a Boolean lattice 
L such that S is closed under the meet, join and complement operations of 
L then the set S together with the partial order of L restricted to S forms a 
lattice with the same lattice operations as L. 



3.2.2 Mathematical Induction 

The clearest examples of subhuman behavior on the part of the Ontic system 
involve mathematical induction. Many common sense inferences appear to 
involve induction. Consider the following examples: 
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• Consider a colored graph in which adjacent nodes have the same color, 
i.e. if there is an arc between nodes n and m then n and m have the 
same color. If nodes n and m have different colors then there is no path 
between them in the graph. A formal proof requires induction on the 
length of paths in the graph. 

• Consider a chess board. The white pawns start on the second rank and 
never move backward. Therefore no white pawn can ever appear on 
the first rank. A formal proof of this statement requires induction on 
the number of steps in the game. 

• Consider two containers for holding marbles. Initially each container is 
empty. Marbles are then placed in the containers in pairs; one marble 
from each pair is placed in each container. No matter how many times 
this is done, assuming the containers do not overflow, there will be 
the same number of marbles in each container. A formal proof of this 
statement requires an induction on the number of marbles placed in 

^""""N the containers. 

• Consider Rubic's cube. Suppose the cube starts in a solved position 
and is scrambled by some number of rotations of faces of the cube. 
There exists a set of steps that unscrambles the cube. A formal proof 
of this statement requires an induction on the number of rotations used 
to scramble the cube. 

• Consider a mouse running in a maze. Suppose the maze is arranged 
inside a box such that there are no openings in the walls of the box 
and the mouse can not jump over the walls. No matter how long the 
mouse runs, and no matter where it goes inside the maize, the mouse 
will not get outside the box. A formal proof of this statement requires 
induction on the number of "moves" the mouse makes in the box. 



In each of the above examples the conclusion is obvious to people. In each 
example, if the concepts involved were approximated by mathematically pre- 
cise notions, then any mathematician would accept the conclusion as obvious 
and would not ask for further proof. 
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Ontic can be used to perform induction proofs. However induction proofs 
must be done explicitly: one must explicitly formulate the induction hypoth- 
esis and explicitly verify the induction step. For example, consider verifying 
that white pawns in a game of chess can not get to the first rank. This fact 
can be verified using the following induction principle for natural numbers. 

(DEFTYPE SET-OF-NATNUMS 
(LAMBDA ((S SET)) 

(IS-EVERY (MEMBER-OF S) NATURAL-NUMBER))) 

(LEMMA 

(FORALL ((S SET-OF-NATNUMS)) 

(=> (AND (IS ZERO (MEMBER-OF S)) 

(FORALL ((N (MEMBER-OF S))) 

(IS (SUCCESSOR N) (MEMBER-OF S)))) 

(IS-EVERY NATURAL -NUMBER (MEMBER-OF S))))) 

The above induction principle says that if a set S contains zero and is closed 
under successor then it contains all numbers. The set S represents an induc- 
tion hypothesis; S is the set of numbers which satisfy the hypothesis. 

In the chess example one must prove that white pawns never end up on 
the first rank. More formally, let an instance of the type CHESS-GAME be 
a particular games of chess, i.e. a particular sequence of moves. If G is a 
particular chess game and N is some natural number then 

(WHITE-PAWN-ON-BOARD G N) 

denotes the type whose instances are the white pawns which are on the chess 
board after then N'th move of the game G. We let 

(RANK-OF P G N) 

be the rank occupied by the pawn P immediate after the N'th move of the 
game G. Figure 3.2 contains statements which follow form the rules of chess. 
An Ontic proof that pawns never get to the first rank is given in figure 3.3. 
The goals in the proof are numbered and the NOTE-GOAL steps are labeled 
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(FORALL ((G CHESS-GAME) 

(M NATURAL-NUMBER)) 
(IS-EVERY (WHITE-PAWN-ON-BOARD G (SUCCESSOR N)) 
(WHITE-PAWN-ON-BOARD G N))) 

(FORALL ((G CHESS-GAME) 

(N NATURAL-NUMBER) 

(P (WHITE-PAWN-ON-BOARD G (SUCCESSOR N)))) 
(IS (RANK-OF P G (SUCCESSOR N)) 

(GREATER-OR-EQUAL-TO (RANK-OF P G N)))) 

(FORALL ((P (WHITE-PAWN-ON-BOARD G ZERO))) 
(IS (RANK-OF P G ZERO) 
(EQUAL-TO TWO))) 

Figure 3.2: Statements which follow from the rules of chess. 

^-^ with the number of the goal being noted. The proof uses the facts listed in 

table 3.2 together with simple facts about the ordering of natural numbers. 

The proof starts by considering an arbitrary chess game G. The proof 
shows that the following induction hypothesis holds for any number N. 

(FORALL ((P (WHITE-PAWN-ON-BOARD G N))) 
(IS (RANK-OF P G N) 

(GREATER-OR-EQUAL-TO TWO))) 

The induction principle for natural numbers states that if a set of numbers 
contains zero and is closed under successor then it contains all numbers. If 
the induction hypothesis is $(N) then one should consider the set of all N 
such that $(N). For the above induction hypothesis one should consider the 
following set: 

(THE-SET-OF-ALL 

(LAMBDA ((N NATURAL-NUMBER)) 

(FORALL ((P (WHITE-PAWN-ON-BOARD G N))) 
(IS (RANK-OF P G N) 

(GREATER-OR-EQUAL-TO TWO))))) 
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(IN-CONTEXT ((LET-BE G CHESS-GAME) 
(LET-BE HYP-SATISFIERS 
(THE-SET-OF-ALL 

(LAMBDA ((N NATNUM)) 

(FORALL ((P (WHITE-PAWN-ON-BOARD G N))) 
(IS (RANK-OF P G N) 

(GREATER-OR-EQUAL-TO TWO)))))) 
(PUSH-GOAL 

(IS-EVERY NATURAL-NUMBER 

(MEMBER-OF HYP-SATISFIERS)))) ;#1 
(IN-CONTEXT ((PUSH-GOAL 

(IS ZERO (MEMBER-OF HYP-SATISFIERS)))) ;#2 
(IN-CONTEXT ((LET-BE ZEROVAR ZERO)) 
(IN-CONTEXT ((SUPPOSE 

(EXISTS-SOME (WHITE-PAWN-ON-BOARD G ZERO))) 
(LET-BE P (WHITE-PAWN-ON-BOARD G ZERO)) 
(LET-BE TWOVAR TWO)) 
(NOTE-GOAL)) ;#2 
(NOTE-GOAL))) ;#2 
(IN-CONTEXT ((PUSH-GOAL 

(FORALL ((N (MEMBER-OF HYP-SATISFIERS))) 

(IS (SUCCESSOR N) (MEMBER-OF HYP-SATISFIERS)))) ;#3 
(LET-BE SATISFIER (MEMBER-OF HYP-SATISFIERS)) 
(LET-BE NEXT-SATISFIER (SUCC SATISFIER))) 
(IN-CONTEXT ((PUSH-GOAL 

(FORALL ((P (WHITE-PAWN-ON-BOARD G NEXT-SATIFIER))) 
(IS (RANK-OF P G NEXT-SATISFIER) 

(GREATER-OR-EQUAL-TO TWO))))) ;#4 
(IN-CONTEXT ((SUPPOSE 

(EXISTS-SOME 

(WHITE-PAWN-ON-BOARD G NEXT-SATISFIER))) 
(LET-BE P (WHITE-PAWN-ON-BOARD G NEXT-SATISFIER)) 
(LET-BE Rl (RANK-OF P G SATISFIER)) 
(LET-BE R2 (RANK-OF P G NEXT-SATISFIER)) 
(LET-BE TWOVAR TWO)) 
(NOTE-GOAL)) ;#4 
(NOTE-GOAL)) ;#4 
(NOTE-GOAL)) ;#3 
(IN-CONTEXT ((LET-BE N (MEMBER-OF HYP-SATISFIERS))) 

(NOTE (IS HYP-SATISFIERS SET-OF-NATNUM))) 
(NOTE-GOAL)) ;#i 
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Figure 3.3: The proof that white pawns never get to the first rank. 
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The Ontic proof in figure 3.3 focuses on the set representing the induction 
hypothesis. It then proceeds to prove the base case and induction step. The 
base case uses the fact that the rank of a white pawn at time zero equals 
two and every number is greater than or equal to itself. In order to apply 
the fact that every number is greater than equal to itself one must focus on 
the number two. The induction step uses the fact that the rank of the pawn 
at time n is greater or equal to two and the rank of the pawn at time n + 1 
is greater or equal to the rank at time n. To invoke the transitivity of the 
ordering on natural numbers one must focus on the three numbers given by 
the rank of pawn at times n and n + 1 together with the number two. 

The proof shown in figure 3.3 is clearly much longer than a natural lan- 
guage argument which simply states that white pawns never get to the first 
rank. This example indicates that without additional theorem proving mech- 
anisms the Ontic system will exhibit a large expansion factor on many in- 
duction proofs. 

One possible mechanism for reducing the expansion factor in induction 
proofs would be a backward chaining procedure (a tactic) for automatically 
generating proofs such as the one shown in the figure 3.3. It would be easy 
to automatically convert the induction hypothesis into a set of numbers and 
automatically focus on that set of numbers. Furthermore one could auto- 
matically attempt to prove the base and induction cases of the argument. 
As figure 3.3 shows however, proving the base and induction cases with the 
Ontic system may require focusing on additional objects. In figure 3.3 the 
user focuses on an arbitrary white pawn and the number two. In the induc- 
tion case the user focuses on the rank of the pawn at two different times. It 
seems that it might be difficult to automatically generate these additional 
focus objects. 

Several automated inference systems include inference mechanisms for 
handling mathematical induction [Boyer k Moore 79] [Huet & Hullot 83] 
[Ketonen 84]. Research is needed to determine if these, or other, induction 
mechanisms can be incorporated into the Ontic system. These inference 
mechanisms are all backward chaining; the induction hypothesis is taken 
from the goal statement. It would be interesting to see if some forward 
chaining induction mechanism could be found that was more in the spirit of 
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Chapter 4 

Quantifier Free Inference 



Each context in the Ontic system is specified by a lemma library, a set of focus 
objects, and a set of assumptions. Given a lemma library, an assumption 
set, and a focus set the Ontic system uses focused forward chaining inference 
mechanisms to generate a set of "obvious truths" for the given context. In 
any given context the operations NOTE and NOTE-GOAL can be used to make 
permanent additions to the lemma library. 

Each lemma, focus object and assumption is an expression in the for- 
mal language Ontic. Rather than manipulate Ontic expressions directly, the 
Ontic system compiles these expressions into graph structure where there is 
a one to one correspondence between graph nodes and Ontic expressions. 
Compilation and inference are separate processes; compilation generates a 
graph structure and inference manipulates graph labelings without creating 
additional graph structure. For efficiency reasons the graph constructed by 
the Ontic system is saved and used repeatedly in many different contexts. 

In the Ontic system the current context is specified by incrementally 
adding and removing suppositions and focus objects. The system maintains 
a stack discipline with respect to the addition and removal of focus objects: 
the last supposition or focus object added must be the first one removed. The 
graph labeling of a given context is determined by the lemma library, focus 
objects and suppositions; the graph labeling does not depend on how the 
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context was constructed. Labelings can be computed incrementally however. 
When a focus object or supposition is added Ontic's inference mechanisms 
extend the labeling to include more truth labels and to satisfy more equiv- 
alences. The system also maintains an "undo list" so that when a focus 
object or supposition is removed the previous context can be restored and 
then updated to reflect additions to the lemma library. 

Chapters 6 and 7 specify the formal language Ontic and the way in which 
the graph structure is generated from the lemma library. This chapter, and 
the one that follows, specify the formal structure of the graph and the mecha- 
nisms for labeling that graph. The graphs constructed by the Ontic compiler 
have five different kinds of nodes and nine different kinds of "links" between 
nodes. However, this chapter discusses only those kinds of nodes and links 
that are used in Boolean constraint propagation and congruence closure. 
These node types and link types are introduced in three stages by defining 
three progressively more sophisticated types of graphs. 

The first two sections of this chapter discuss graph structure and in- 
r^ ference mechanisms that are relevant to Boolean constraint propagation. 

Boolean constraint propagation is responsible for enforcing certain Boolean 
constraints on formula nodes and for enforcing certain relationships between 
truth labels of equation nodes and color labels representing equivalences. 
Congruence closure ensures that the color labels that represent equivalences 
respect the substitution of equals for equals. 



4.1 Boolean Constraint Graphs 

This section describes Boolean constraint graphs and the inference mecha- 
nisms that apply to them. Sections 4.1.2 and 4.1.3 can be safely ignored by 
readers who are not interested in correctness proofs; the graph structure and 
inference mechanisms are fully specified by the end of section 4.1.1. 

Boolean constraint graphs are a very simple approximation of the graphs 
produced by the Ontic compiler; Boolean constraint graphs have only a single 
kind of node and a single kind of link. The nodes represent formulas and 
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each link is a disjunctive constraint on truth values assigned to the nodes. 

Definition: Let J\f be a set of formula nodes. A literal ty over 
Af is either a node n in J\f or the negation ->n of some node n in 
AT. 

A clause over J\f is a disjunction of the form 

$iV$ 2 V...$„ 
where each *&, is a literal over ftf. 

A Boolean constraint graph B consists of a set of formula nodes 
and a set of clauses over those nodes. 



The Boolean constraint propagation algorithm manipulates partial truth 
f^ labelings of Boolean constraint graphs. More specifically, the propagation 

algorithm extends partial truth labelings in a manner justified by the clauses 
in the graph. 



Definition: A partial truth labeling 7 of Boolean constraint graph 
B is a partial map from the nodes in B to the set {true, false}; 
if n is a node in B then j(n) is either true, false or undefined. 

A partial truth labeling 7 on B determines a partial truth labeling 
on all literals $ over B as follows: 

false if 7(n) = true 

■y(-m) = < true if -y(n) = false 

undefined if f(n) is undefined 

Each clause is a disjunction of the form 
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which states that one of the literals must be true. The propagation algorithm 
is based on the notion of a unit clause; Boolean constraint propagation ex- 
tends partial truth labels by identifying unit clauses in the graph structure. 
The notion of a unit clause is defined relative to the partial truth labeling 7. 
Consider a clause of the form 

$iVf 2 V...$„ 

and a partial truth label 7. If 7(^i) is false then the above clause expresses 
the constraint that one of the other literals must be true. In general one 
should only pay attention to the non-false literals in a clause. A clause with 
only a single non- false literal is called a unit clause. 



Definition: A clause ^1 V ^ 2 V . . . $ n is called a 7 -unit-clause if 
there is exactly one literal $, such that 7(^1) is not false. The 
single non-false literal is called the unit literal of the clause. 

f m ^-.. An open 7 -unit-clause is a 7-unit-clause where the unit literal has 

no truth label under 7, i.e. 7(^) is undefined for the unit literal 

An open 7-unit-clause provides grounds for extending the partial truth 
labeling 7; if there is only one non-false literal in a clause C then the remain- 
ing literal, the unit literal of the clause, must be true. Boolean constraint 
propagation uses open unit clauses to extend the truth labeling until either 
an inconsistency is discovered or there are no remaining open unit clauses. 



Definition: Let B be a Boolean constraint graph and let 7 be a 
partial truth labeling on B. 

The partial labeling 7 will be called B -inconsistent if there is some 
clause 

tfi V $2 V . . . tf n 

in B such that 7(\E r ,-) is false for each literal $, in the clause. If 
7 is not ^-inconsistent we say that 7 is ^-consistent. 
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Let ^ be any literal over the nodes in B such that 7(\f) is un- 
defined. The labeling 7^ := true] is the partial truth labeling 
which agrees with 7 on all nodes other than that appearing in 
\I> and such that 7^ := true](\I/) equals true. -f[$ := false] is 
defined similarly. 

Boolean constraint propagation starts with an arbitrary partial labeling 
7 of a Boolean constraint graph B and returns a new partial labeling Nb(i). 
The Boolean constraint propagation procedure can be defined as follows: 



Definition: A partial truth labeling 7 of a Boolean constraint 
graph B is called normalized if either it is B-inconsistent or there 
are no open unit clauses in B under 7. 

Procedure for Computing Nb(j): 

r^- If 7 is normalized then return 7, otherwise choose an open 7-unit- 

clause in B with unit literal $ and return the labeling Nb^I^S := 
true]). 

Since there are only finitely many formula nodes in C the partial truth 
labeling can not be extended indefinitely and the recursion in the above 
procedure must terminate. Furthermore the labeling returned by the above 
procedure is always normalized. 

The normalization of a labeling of a Boolean constraint graph involves 
inference. If a labeling 7' can be derived via a single inference from a labeling 
7 then we write 7— *•# 7'. In analyzing Ontic's inference mechanisms the one 
step inference relation — »g is easier to think about than the normalization 
function Ng. More formally, for any Boolean constraint graph B the relation 
—>B is defined on the labelings of B as follows: 



Definition: Let 7 and 7' be two partial truth labelings of a 
Boolean constraint graph B. We write 7 — ># 7' if 7 is 5-consistent 
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and 7' can be derived in a single unit inference from 7, i.e. if there 
is some open 7-unit-clause in B with unit literal ^ and such that 
7' equals 7^ := true]. 



The relation — »£ should be viewed as a reduction relation analogous to re- 
duction relations in the lambda calculus or term rewriting systems. For any 
labeling 7 of B the normalized labeling Nq{~{) is the normalization of 7 under 
the reduction relation — »# . 



4.1.1 Compiling Boolean Combinations 

The graph structure used in semantic modulation is constructed by compiling 
expressions in the Ontic language; the compilation process translates the 
Ontic expressions into graph structure. The utility of Boolean constraint 
propagation is best understood in light of this compilation process. The 
full Ontic compiler is precisely denned in chapter 7. However this section 
describes the compilation of Boolean combinations of formulas. 

The compilation process converts an Ontic formula $ to a formula node 
n$. Certain Ontic formulas are associated with clauses called meaning pos- 
tulates. When the node rc$ is constructed the meaning postulates for $ 
are added to the graph. For example suppose that the formula $ is a 
Boolean combination of the formulas Q\ and 2 , e.g. $ might be the formula 
(OR ©! 2 ). The meaning postulates for <& are clauses that relate the node 
n$ to the nodes n& x and n@ 2 . The exact nature of the clauses relating n$ 
to uq 1 and n© 2 depends on the Boolean connective used in $. Table 4.1 
shows the meaning postulates for the Boolean connectives used in the Ontic 
system. 

Boolean constraint propagation generates a normalized partial truth la- 
beling of the constraint graph generated by the compilation process. If the 
normalized labeling is ^-consistent then the meaning postulates for Boolean 
connectives ensure certain relationships between Boolean formulas and their 
subformulas. For example consider the following meaning postulate for im- 
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Formula $ 



Meaning Postulates for n$ 



(AND X 2 ) 



(OR X 2 ) 
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"'"(AUD 0i e 2 ) V "©1 

^(aid ©i © 2 ) Vn© 2 

->n Ql V ->ra© 2 V n (AID @1 © 2 ) 

■m @1 V n (0R 01 © 2 ) 
m© 2 Vn (0R 01 © 2 ) 
"•"(or 0i e 2 ) Vn 0I Vn© 2 



(IMPLIES 0! 2 ) -me;, V n (IH PLiES ©j © 2 ) 

UQ 1 V n( IM PLIES ©i © 2 ) 

""^(implies ©i © 2 ) V -m©! V n@ 2 



(IFF a 2 ) 



(NOT 0) 



"^WdFF 01 © 2 ) V ->n Ql V n© 2 
"■"(iff ©! © 2 ) V n 01 V ->n@ 1 
-in 01 V -m© 2 V n (IFF 01 © 2 ) 
n@! Vn© 2 Vn (IFF 01 © 2) 

«© V n (H ot ©) 
-m© V -mcHot ©) 



i.e. n( A HD ©i © 2 ) => riQ 1 
•e. n(AHD ©i © 2 ) =>■ "©j 

.e. n© x A n© 2 =4> n (ATO 01 © 2) 

.e. n Ql =>- n (0 R © x © 2 > 
.e. n©j =£> n( 0R ©j © 2 ) 
.e. n< R ©j © 2 ) =^ n© x V n© 2 

.e. n©j =4> nciBPLiEs @ x © 2 ) 

.e. -mQj =>- n (IM PLiES ©i © 2 ) 

.e. n( IBPLIES ©j © 2 ) A n©j =£> n@ 2 

.e. n (IFF ©j @ 2 ) A n 01 =s> n© 2 
.e. n(i FF ©j © 2 ) A -in0j =*> -m@ 2 
i.e. n 01 A n© 2 =>• n (IFF @1 © 2) 
i.e. -m 01 A -in 02 =4> n (IFF 01 © 2) 



Table 4.1: Meaning postulates for Boolean connectives 
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plications of the form (IMPLIES ®i 2 ) 

""^(implies ©! © 2 ) V -in 6l V n @2 

Now suppose 7 is a ^-consistent normalized partial truth labeling such that 
7( n dMPLiEs 0i e 2 )) is true and 7(n©j) is true. In this case the first two 
literals in the above clause are labeled false under 7. By assumption 7 is 
^-consistent so the last literal is not false. Furthermore since 7 is assumed 
to be normalized the above clause can not be an open 7-unit-clause so the 
last literal must be labeled true. In summary: 



If 7 is a S-consistent normalized labeling such that 

l{n (implies 0i © 2 )) = true 

and 

7(n 01 ) = true 

then 

7(ne 2 ) = true 

Thus ^-consistent normalized labelings are closed under the inference rule 
of modus ponens. A similar argument can be used to prove the following: 

If 7 is a B-consistent normalized labeling such that 
l(n (implies ©! e 2 )) = true 

and 

7(n© 2 ) = false 

then 

7(rc©i) = false 

A similar argument concerning the meaning postulates for negations shows 
that if 7 is a B- consistent normalized partial truth labeling and the nodes 
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uq and n(5o T ©> have been constructed in the graph then either 7 does not 
provide a truth label for either of these nodes or the 7 assigns these nodes 
opposite labels. 

Now let op be any binary Boolean operator listed in table 4.1 and let 7 be a 
B-consistent normalized truth labeling. The meaning postulates ensure the 
following conditions: 



• If the nodes n& 1 and n& 2 both have truth labels then any node of the 
form n( op ei e 2 ), a l so has a truth label; n( op & 1 @2 ) has the truth label 
given by the meaning of op. 

• If the meaning of op allows the truth of (op X 2 ) to be derived 
from either the truth label for n©j or the truth label for (or n© 2 ) then 
ft(o P 0i © 2 ) has the appropriate truth label. For example a disjunction 
is true whenever one of its disjuncts is true and a conjunction is false 
whenever one of its conjuncts is false. 

• If the meaning of op allows the truth of wqj to be derived from the 
truth label of n( op & 1 e 2 ) then r^ has the appropriate truth label. For 
example if a conjunction is true then each conjunct is true and if a 
disjunction is false then each disjunct is false. If an implication is false 
then its antecedent is true and its consequent is false. 



• 



If the meaning of op allows the truth of uq^ to be derived from both 
the truth label of n<; op ei © 2 ) ar *d the truth label of uq 2 then n<s >1 has 
the appropriate truth label. An analogous statement holds for deriving 
labelings of uq 2 from labelings of n( op & 1 e 2 ) and uq 1 . For example if 
a conjunction is labeled false and one of its conjuncts is labeled true 
then other will be labeled false. If a disjunction is labeled true and 
one of its disjuncts are labeled false then the other disjunct will be 
labeled true. 



The above properties of a B-consistent normalized labeling 7 do not guar- 
antee that 7 is closed under all possible Boolean inferences. Boolean con- 
straint propagation constructs a normalized labeling in time proportional to 
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the number of nodes in the graph; assuming P ^ NP any logically com- 
plete Boolean inference mechanism requires exponential time. Thus it is not 
surprising that Boolean constraint propagation is logically incomplete. More 
specifically, Boolean constraint propagation does not perform case analyses. 
For example there exists a S-consistent normalized labeling 7 with the fol- 
lowing properties: 

7( n (oa ©i 2 )) = true 

7( n (i«PLiEs e! © 3 >) = true 

l{n (implies © 2 © 3 )) = true 

7(n© 3 ) is undefined 

In the above situation Boolean constraint propagation does not generate 
truth labels for any of the nodes n© x , n@ 2 or rc© 3 . 

4.1.2 Order Independence for Boolean Inference 

The Boolean constraint propagation procedure defined above is non-deterministic; 
the procedure extends a partial truth labeling by non-deterministically choos- 
ing an open unit clause. Fortunately however, one can prove that the labeling 
generated by the propagation procedure is independent of the order in which 
open unit clauses are chosen. 



Definition: Two partial labelings 71 and 72 of a Boolean con- 
straint graph B will be called B-equivalent if either 71 equals 72 
or both 71 and 72 are ^-inconsistent. 

Normalization Theorem: For any partial labeling 7 of a Boolean 
constraint graph B the Boolean constraint propagation procedure 
terminates and all possible values of Nb{~i) are H-equivalent. 

This theorem can be proven by examining the inference relation — >g . 
Viewing — »# as a reduction relation, the above theorem is implied by the 
fact that the relation — »g satisfies a certain Church-Rosser property. The 
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Church-Rosser property of — »# is proven using general lemmas that apply 
to any reduction relation. 



Definition: For any binary relation — > we write x — >* ?/ if either 
a; equals y or there exists some z such that x — > 2 and 2 — ►* ?/. 

We say that — * is well founded if there is no infinite sequence 

Xi — > £ 2 -* #3 — » • • • 

We say that ?/ is a normal form under — + if there is no z such 
that y — > z. We say that y is a normal form of x under — * if y is 
a normal form under — » and x — *•* j/. 

We say say that —► is a terminating normalizer modulo an equiv- 
alence relation « if — » is well founded and normalizations under 
— > are unique up to «, i.e. if y and 5; are both normal forms of ar 
then y & z. 
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— >s Normalization Lemma: — *■# is a terminating normalizer 
modulo ^-equivalence. 



To prove the normalization lemma first note that whenever 7— ►£ 7' the 
labeling 7' provides more truth labels than does 7. Since there are only 
finitely many nodes in B there can not be any infinitely long reduction chains 
under the relation -+ B . Thus -* B is well founded. Thus, to prove that -> s 
is a terminating normalizer it suffices to show that normal forms are unique 
up to B-equivalence. 



Definition: We say that — * satisfies the diamond property mod- 
ulo an equivalence relation « if for every x, y and z such that 
x —* y and x —* z there exists a w and w' such that y —>* w, 
z —>* w' and w f» «?'. 
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Diamond Lemma: If — > is well founded and satisfies the dia- 
mond property modulo « then for any object x in the domain 
of the relation —*, all normal forms of x under — * are equivalent 
under f», i.e. — ► is a terminating normalizer modulo «. 

The diamond lemma as stated above is a straightforward modification of 
a theorem proved by Knuth and Bendix for term rewrite systems [Knuth & 
Bendix 69]. The diamond property for a given relation can be proven by 
showing that individual inferences commute. More specifically if there are 
two open unit clauses which each can be used to extend the partial truth 
labeling in two different ways then one can perform both inferences and the 
result is the same no matter which inference is performed first. Unfortunately 
the situation is complicated by the possibility of contradictions but the basic 
result holds: — >b satisfies the diamond property modulo ^-equivalence of 
partial truth labelings. 
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Lemma: — ># satisfies the diamond property modulo S-equivalence. 

Proof: Suppose 70-^2? 7i and 70— >s 72 where 71 is a different 
labeling from 72. From the definition of — ►# there must exist 
distinct literals \J>i and $ 2 such that 

7i = 7o[$i := true] 

and 

72 = 7o[^2 := true] 

Let c\ be the clause in B which is an open 70-unit- clause with 
unit literal $1 and let c 2 be the clause in B which is an open 
70-unit-clause with unit literal \D , 2 - 

First suppose that $1 and $2 are opposite literals for the same 
formula node. In this case the assignment $1 :=true will cause 
^2 to be false. Thus every literal in c 2 will be false under 71 so 
in this case 71 is ^-inconsistent. Similarly every literal in c% will 
be false under 72 and so in this case 72 is ^-inconsistent. But if 
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71 and 72 are both S-inconsistent then they are B-equivalent so 
the diamond property holds. 

Now suppose that the literals \&i and $2 involve different for- 
mula nodes. Let 73 be the labeling 

(7^1 := true])^ := true] 

Since ^1 and $2 involve different formula nodes 73 can also be 
written as 

(<y[® 2 : = true])[^i := true] 

Since $1 and \?2 involve different formula nodes the clause C2 is 
still an open 71-unit-clause. Thus if 71 is inconsistent 71— >& 73. 
Similarly if 72 is S-consistent then 72— >e 73. Thus if both 71 and 

72 are B-consistent then they both reduce to 73 so the diamond 
property holds. If both 71 and 72 are S-inconsistent then they are 
B-equivalent so the diamond property holds. Now suppose that 
71 is 23-consistent but 72 is not. In this case ji reduces to 73. But 

73 is a proper extension of 72 and 72 is ^-inconsistent so 73 must 
also be ^-inconsistent. But this implies that 73 is ^-equivalent 
to 72 so the diamond property holds. 

Since —+8 is well founded and satisfies the diamond property modulo 
B-equivalence for partial truth labelings the Knuth-Bendix diamond lemma 
implies that normalizations are unique up to ^-equivalence and thus — >b 
is a terminating normalization relation modulo ^-equivalence. Thus, up to 
B-equivalence, there is only one possible value of N^-j). 



4.1.3 Semantic Soundness 

For any Boolean constraint graph B the relation — >& can be viewed as an 
inference relation. It is possible to provide a simple semantics for Boolean 
constraint graphs and prove that the relation — ># is sound modulo this 
semantics. For the most part the soundness of — >& is self evident. However 
the semantics given here provides groundwork that will be needed to prove 
the soundness of semantic modulation inference relations. 
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Any semantic interpretation of a set of formula nodes provides a way of 
assigning every node a truth value, either true or false. Thus any semantic 
interpretation of a set of formula nodes yields a complete truth labeling of 
those nodes. 

Definition: A partial truth labeling of a Boolean constraint 
graph B is called complete if it assigns every node a truth la- 
bel. Complete labelings will be called Boolean interpretations 
and will be denoted with the greek letter w. 

Clauses in a Boolean constraint graph and any partial truth labelings express 
constraints on possible interpretations. 



Definition: Let B be a Boolean constraint graph, let 7 be a 
partial truth assignment on the nodes in B, and let w be a Boolean 
interpretation of the nodes in B. 

'We say that u satisfies a clause 

fiV^V...^ 

if u> makes at least one of the literals \P; true. We say that u 
satisfies the Boolean constraint graph B just in case ix> satisfies 
every clause in B. 

We say that u> satisfies the partial truth labeling 7 if every node 
that is assigned a truth label by 7 is assigned the same truth label 

by a;. 

The reduction relation — »g can be viewed as a sound inference relation 
in the sense that if 71— »# 72 then every constraint in 72 is implied by the 
constraints in 71 and B, i.e. if u satisfies 71 and B then co also satisfies 72. 
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-*b Soundness Lemma: If a; is a Boolean interpretation that 
satisfies a Boolean constraint graph B and a partial truth labeling 
7, and if 7— »£ 7', then u> satisfies 7'. 



/""\ 



/**\ 



/""N 



4.2. EQUALITY CONSTRAINT GRAPHS 105 

4.2 Equality Constraint Graphs 

This section describes equality constraint graphs and the inference mecha- 
nisms that apply to them. Sections 4.2.1 and 4.2.2 can be safely ignored by 
readers who are not interested in correctness proofs. 

As the name implies, equality constraint graphs are used to reason about 
equality. In addition to clause links equality graphs have equality links. An 
equality expresses the fact that a certain formula node represents an equation 
between two other nodes. Equality constraint graphs have both formula and 
non-formula nodes. The non-formula nodes in an equality constraint graph 
are divided into two types: quotation nodes and non-formula non-quotation 
nodes. No two quotation nodes should ever be equal. If there are n quotation 
nodes then there are order n 2 potential equalities between these nodes; the 
existence of quotation nodes eliminates the need to explicitly state that these 
n 2 equalities are all false. In the Ontic compilation process quotation nodes 
are used to represent quotation expressions of the form (QUOTE symbol). 



Definition: An equality constraint graph S consists of a set of 
formula nodes, a set of clause links over the formula nodes, a set 
of quotation nodes, a set of non-formula non-quotation nodes, 
and a set of equality links of the form 

p <=$> n = m 

where p is a formula node in S and n and ra are any nodes in £. 

Let B be the Boolean constraint graph consisting of the formula 
nodes and clause links in an equality constraint graph £. We say 
that B is the Boolean constraint graph underlying S. 

An equality link of the form p <$ n = m says that the formula node p 
represents the equality between nodes n and m. The Ontic compiler creates 
an equality link every time it compiles an equality formula. More specifically, 
every time a node of the form rt(= a i) is created the system constructs the 



/"""*s 



r> 



106 CHAPTER 4. QUANTIFIER FREE INFERENCE 

equality link 

«.(- a 6) & n a = Ub 

where n a is the node representing the expression a and ra& is the node repre- 
senting the expression b. 

The labelings of equality graphs contains both a partial truth labeling of 
formula nodes and a color labeling of all nodes. The color labeling represents 
information about the equality of nodes; two nodes with the same color are 
considered equal. 



Definition: A labeling £ of a colorable node set £ is a pair 
<7, k> where 7 is a partial truth labeling of the formula nodes 
in £ and k is a color labeling which maps every node in £ to a 
color. 

f"^; The notion of a labeling as defined above is meaningful independent of 

the links in the graph structure £. A labeling contains information about 
which formula nodes are true (or false) and information about equivalences 
between nodes (both equivalences between formula nodes and equivalences 
between non- formula nodes). However the links in an equality constraint 
graph £ can be thought of as constraints on labelings. More specifically, we 
have the following definition of a ^-inconsistent labeling. 



Definition: We say that a labeling <j, k> of £ is £ -inconsistent 
if any of the following conditions hold: 

• 7 is ^-inconsistent where B is the Boolean constraint graph 
underlying £. 

• There is some equality link p <$ n = m in £ such that 
ft(n) = /c(ra) but ^(p) = false. 

• There are two distinct quotation nodes n and m in £ such 
that /c(n) = Ac(m). 
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• There are two formula nodes p and q such that /c(p) = K,(q), 
both -f(p) and f(q) are defined but ^(p) is the opposite of 

7(?)- 

If a labeling £ is not ^-inconsistent then we say that the labeling 
<7, /c> is S -consistent. 



A given equality constraint graph £ is associated with an inference rela- 
tion — >e on labelings. The inference relation —*£ can extend a labeling in 
one of two ways: it can add a new truth label on a formula node or it can 
merge two equivalence classes by assigning both classes the same color label. 
When two equivalence classes are merged the smaller class is recolored to be 
the color of the larger class. This class merger operation can be defined as 
follows: 



Definition: If k is a color labeling of the nodes in S, and n 
and m are nodes in £ then the color map /c[union(n,m)] is a 
color map which yields the same equivalence relation as k except 
that the equivalence classes of n and m have been merged. More 
specifically, if the size of the equivalence class of n under k is less 
than or equal to the size of the class of m under k then the map 
/c[union(n,m)] is defined as follows: 

«[umon(n,m)](,)=|^ ^^ 

The above definition specifies that the union operation recolors 
the class of n to be the same color as the class of m. If the size 
of the class of n under k is larger than the size of the class of 
m under k then /c[union(n, m)} equals /c[union(ra,n)]. The union 
operation always recolors the smaller equivalence class. 



It is now possible to define the inference relation —*e 
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Definition: Let £ be a labeling of £ which is equal to the pair 
<7, k>. Let £' be a labeling of £ which is equal to the pair 
<7', k'>. We write C— >e £ if one of the following conditions 
hold: 

• k = k' and 7' is derived from 7 via unit inference, i.e. 7— »g 7' 
where # is the Boolean constraint graph underlying £. 

• £ contains the link p <& n = m and each of the following 
conditions hold 

— 7(2?) = true 

— «(n) ^ Ac(ra) 

— 7' = 7 and k' = Ac[union(n,m)] 

• £ contains the link p <=> n = m and each of the following 
conditions hold 



/"*\ — k(u) = «(m) 

— 7(p) is undefined 



— k' = k and 7' = 7[p := true] 

• £ contains two formula nodes p and q such that the following 
conditions hold: 

— k(p) = K(q) 

— j(p) is denned but 7(g) is not. 

— k' = k and 7' = i\q := ~l{pj\ 

4.2.1 Semantic Soundness 

Any semantic interpretation of an equality constraint graph provides both a 
truth labeling and a color labeling where two nodes have the same color just 
in case they denote the same semantic object. A labeling that corresponds 
to a semantic interpretation must be complete in that every formula node 
must have a truth label. 
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Definition: A labeling C of an equality constraint graph £ is 
called complete if C assigns every formula node in £ a truth label, 
either the label true or the label false. Complete labels are also 
called possible worlds. 



The term "possible world" comes from modal logic; there is a strong similarity 
between the semantics of the graphs described in chapter 5 and the possible 
world semantics of modal logic. Clause links and equality links can both 
be viewed as constraints on possible worlds. A partial labeling can also be 
viewed as a constraint on possible worlds. 



Definition: A possible world w satisfies an equality constraint 
graph £ just in case the truth labeling of w satisfies every clause 
link in £, no two quotation nodes of £ are assigned the same color 
by w, any two formula nodes which are assigned the same color 
label by w are assigned the same truth label by w, and for every 
equality link p <$ n = m in £, the world w assigns p the label 
true just in case w assigns n and m the same color label. 

A possible world w satisfies a labeling C of an equality constraint 
graph £ just in case every formula node which is assigned a truth 
value by C is assigned the same truth value by w and if two 
nodes n and m are assigned the same color by C then n and m 
are assigned the same color by w. 



The reduction relation —*£ can be viewed as a sound inference relation 
in the sense that if C\— >£ Li then every constraint in £2 is implicitly present 
in £ and C%, i.e. if an interpretation satisfies £ and C\ then it also satisfies 

c 2 . 



-+S Soundness Lemma: If to is a possible world that satisfies 
the equality constraint graph £ and the labeling C, and if C— >s £', 
then w satisfies £'. 
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4.2.2 Termination and Order Independence 

Note that if £— >g £' then either £' provides more truth labels than £ or £' 
has fewer colors (equivalences classes) than £. Since there are only finitely 
many formula nodes that can take truth labels, and since the number of 
equivalence classes can not be reduced below one, the inference process must 
terminate, i.e. there are no infinite inference chains of the form 

£\—*e £2— *s Cz—^s ■ ■ ■ 
Thus the relation — >s is well founded. 

To prove that — >£ yields a well defined normalization operation one must 
show that all normal forms of a labeling £ are equivalent modulo some equiv- 
alence relation. This equivalence of normal forms can be established under 
the following equivalence relation. 



Definition: Two labelings £ and £' of a colorable node set £ 
are called S-equivalent if either both £ and £' are ^-inconsistent 
or if they both provide the same partial truth labeling on the 
formula nodes in £ and the color labelings in £ and £' determine 
the same equivalence relation on £. 

—>£ Normalization Lemma: — >s is a terminating normalizer 
relative to ^-equivalence. 

The proof of the above theorem uses the Knuth-Bendix diamond lemma. 
The proof that — »£ satisfies the diamond property relative to ^-equivalence 
is similar to the proof that — >•# satisfies the diamond property relative to 
B-equivalence; both proofs are based on the commutativity of individual 
inference reductions. 



4.2.3 Running Time 

The union operation used to construct «;[union(n, m)] recolors the the smaller 
of the two equivalence classes. This has the important consequence that every 
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time the color label of a node n changes the size of n's equivalence class at 
least doubles. Let |£*j be the number of nodes in £. The color label for a given 
node n can change at most [log 2 \S\\ times because if the color of n changed 
more than [log 2 \£\\ times the equivalence class of n would be larger than 
\S\. Since the color of a given node n can change at most Ll°g2 I^IJ times the 
total number of coloring operations required to normalize a labeling C is at 
most |£||_log 2 |£|J. Since the number of truth labeling operations is at most 
\£\ the total number of labelings operations is order |£|log \£\. 



4.3 Congruence Constraint Graphs 

This section describes congruence constraint graphs and the inference mech- 
anisms that apply to them. Sections 4.3.1 and 4.3.2 can be safely ignored by 
readers who are not interested in correctness proofs. 

Congruence constraint graphs are just like equality graphs except that 
they contain subexpression links. Subexpression links relate a node for a 
composite expression to nodes for its subexpressions. For example a subex- 
pression link might relate the node representing the expression (F00 A) to 
the nodes representing F00 and A. The labeling process which uses subex- 
pression links is called congruence closure. Congruence closure effectively 
performs the substitution of equals for equals. For example consider a color 
labeling such that the node for A and the node for B are assigned the same 
color and yet the nodes for (F00 A) and (F00 B) have different colors. This 
labeling would not respect the substitution of equals for equals. A color la- 
beling is said to be congruence closed if it does respect the substitution of 
equals for equals. 



Definition: A congruence constraint graph C is of an equality 
constraint graph augmented with a set of subexpression links of 
the form 

(mi m 2 ... nik) = n 

where n and each mi are nodes in C. 
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Let 5 be the equality constraint graph derived from a congruence 
constraint graph C by deleting all subexpression links. We say 
that S is the equality constraint graph underlying C. 

A labeling of a congruence constraint graph is a labeling of the 
underlying equality constraint graph. 



A subexpression link of the form (mi ra 2 . . . mj) = n says that the node 
n represents the application of the operator m\ to the arguments ra 2 . . . 
m,k. The Ontic compiler generates subexpression links whenever it compiles 
an applicative expression. Subexpression links can be used to define a new 
inference relation on labelings. 



Definition: A labeling £ of a congruence constraint graph C is 
called C-consistent just in case £ is ^-consistent where S is the 
equality constraint graph underlying C. 

For any two labelings £ and £' of a congruence constraint graph 
C we write £— *c £' just in case £ is equality consistent and either: 

• £— »£ £' where £ is the equality constraint graph underlying 
C. 

• £' can be derived from C via a congruence inference, i.e. C 
is a pair <y, k> such that there are two subexpression links 
(rai n 2 . . . rik) = m and (pi p 2 ■ • ■ Pk) = ? in 5 such that for 
each pair m, and qi of corresponding subnodes /c(m,-) = «(<&) 
but «(n) t^ «(p) and £' is the pair <7, «[union(n,p)]>. 



If a labeling £ is normalized relative to — >c then there is no pair of 
subexpression links satisfying the conditions for congruence inference given 
in the definition of — »c . This implies that if £ is normalized under — >c then 
£ is congruence closed. 
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4.3.1 Semantic Soundness 

Recall that a possible world is a complete labeling, i.e. a color and truth 
labeling which assigns every formula node a truth label. The links in a 
congruence constraint graph can be viewed as constraints on possible worlds. 

Definition: A possible world w satisfies a congruence constraint 
graph C just in case w satisfies the underlying equality constraint 
graph and for any two subexpression links 

(mi m 2 ... rrik) = n 

and 

(Pi P2 ■■■ Pk) = q 

if for each m; the world w assigns m t - and pi the same color then 
w assigns n and q the same color. 

The reduction relation — >c can be viewed as a sound inference relation 
in the sense that if C\— >c Ci then the constraints in C and £ semantically 
imply the constraints in £ . 



— >c Soundness Lemma: If w is a possible world that satisfies 
both a congruence constraint graph C and a labeling C of C, and 
if C— >c £ , then w satisfies C '. 



4.3.2 Termination and Order Independence 

If C— >c C then either £ provides more truth labels than C or £ provides 
fewer color labels, and thus allows fewer equivalence classes than C. Since 
there can not be more truth labels than there are formula nodes, nor fewer 
equivalence classes than one, every reduction chain must terminate. Thus 
the relation — s-c is well founded. 
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To prove that —*c yields a well defined normalization operation one must 
show that all normal forms of a labeling C are equivalent modulo some given 
equivalence relation. 



— >c Normalization Lemma: — >c is a terminating normalizer 
modulo ^-equivalence where S is the equality constraint graph 
underlying C. 

The above theorem is proved via the Knuth-Bendix diamond lemma and the 
proof that — »c satisfies the diamond property is based on the commutativity 
of individual inferences. 



4.3.3 Implementation Techniques 

/•"■n For any labeling C of a congruence constraint graph C we can define Nc (£) to 

be any normal form of C under the reduction relation — »c • The definition of 
— >c specifies the value of Nc(C) up to ^-equivalence where S is the equality 
constraint graph underlying C. Furthermore, because the size of a node's 
equivalence class at least doubles every time the node is assigned a new 
color, the normalization procedure involves at most order \C\ log \C\ labeling 
operations. The above specification however does not provide a complete 
description of an efficient implementation of the normalization function Nc. 
More specifically no procedure has been given for finding the clauses, equality 
links, and subexpression links involved in a single step of the normalization 
process. 

Most labeling inferences involve a single link in the graph structure; the 
inference is justified by a single link and the label of the nodes in that link. 
Boolean constraint propagation based on clause links, for example, always 
involves a single clause. There are certain inferences, however, that involve 
two objects that are not connected by any single link. For example, to test 
for consistency the system must determine if two quotation nodes have the 
same color label. To quickly test for the presence of two quotation nodes 
with the same color label one can maintain a hash table with entries of the 
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form c i-> n where c is a color and n is a quotation node. Every time a 
quotation node n is assigned a color c one checks the hash table to see if 
some other quotation node has been labeled with color c. If there is such 
a node, an inconsistency is flagged. If there is no such node then one adds 
a new entry to the hash table. This hash table can be maintained during 
the inference process. Assuming hash lookup takes constant time, the time 
needed to maintain this hash table is proportional to the number of color 
labeling operations. 

Another example of an inference that involves two objects not related 
by a single link is congruence inference. Congruence inference, as defined in 
the previous section, requires finding two subexpression links which together 
justify a congruence inference. Let s be the number of subexpression links. 
Searching all pairs of subexpression links for a possible congruence inference 
might require order s 2 comparisons. Fortunately an additional data structure 
can be used to eliminate the need for s 2 comparisons. 

Each labeling of a congruence constraint graph can be augmented with 
/■■"n a hash table that maps tuples of colors to nodes. More specifically each 

labeling is associated with a set of hash table entries of the form 

<Ci c 2 . . .c n >\-> n 

where each c; is a color and n is a node. Such a table entry corresponds to 
a subexpression link of the form 

(mi m.2 . . . m^) = n 

where each node m 8 - has color c 4 \ Using this hash table it is possible to quickly 
determine if there are two subexpressions links satisfying the conditions for 
congruence inference. Such a hash table can be incrementally maintained as 
a labeling is normalized. 

Given the hash tables described above it is possible to determine if a 
labeling can be further reduced by independently examining individual links. 
If a given link £ can not be used to generate an inference then £ need not be 
checked again until some label changes for some node in £. The total number 
of labeling operations performed on any given node is order log(n) where n 
is the number of nodes in the graph. If there is some upper bound on the 
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number of nodes that appear in any given link then the number of times a 
given link needs to be checked is also order log(ra). Thus, if e is the number 
of links in the graph, and n is the number of nodes, the total number of link 
checks is order elog(n) and the total number of labeling operations is order 
nlog(n). Efficient congruence closure algorithms are described in [Downey, 
Sethi, k Tarjan 80]. 
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Chapter 5 

Inference with Quantifiers 



Focused binding and automatic universal generalization are graph labeling 
inference processes that construct binding environments and quantified for- 
mulas. Certain nodes in the graph structure are identified as variable nodes. 
^*"^ Graph labelings are used to represent variable bindings. For example if n is 

a variable node and r is some other node then the binding n h-> r can be 
represented in a graph labeling by merging the equivalence classes of n and r. 
This graph theoretic binding mechanism forms the basis for an inheritance 
mechanism; a binding of the form n t-t r causes information known to be 
true of the variable (or generic individual) n to be inherited by the particular 
instance r. 

Ontic's inference mechanisms are fully described in sections 5.1, 5.4, 5.5 
and 5.6; sections 5.2 and 5.3 can be safely ignored by readers who are not 
interested in correctness proofs. 



5.1 Semantic Modulation Graphs 



Semantic modulation graphs have two new kinds of nodes: variable nodes 
which represent variables and type nodes which represent types. Semantic 
modulation graphs also have two new kinds of links: type declaration links 
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that associate a variable with a type and type assertion links each of which 
states that a certain formula node represents the statement that a certain 
object (node) is an instance of a certain type. 

This section describes the inference relation — >s ■ The inference relation 
— *5 both performs inference and generates variable bindings. However, the 
relation — >s is not guided by focus objects. Section 5.4 describes the relation 
— >sjf which is similar to — »s except that the generation of variable bindings 
is guided by a set T of focus objects. 

Before denning semantic modulation graphs we define the preliminary 
notion of a variable graph. A semantic modulation graph is a variable graph 
that satisfies a certain non-circularity constraint. 



Definition: A variable graph consists of a congruence constraint 
graph together with the following: 

• a classification of the non-formula non-quotation nodes into 
variable nodes, type nodes, and unclassified nodes. 

• A set of free variable links of the form 

n <C r 

Where n is a variable node. Such a link says that n rep- 
resents a variable that appears free in the expression repre- 
sented by r. 

• A set of type declaration links; for each variable node n there 
is exactly one type declaration link of the form 



n:m 



The node m is called the type node of n and n is called a 
variable of type m. 
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• A set of type formula links of the form 

p <& r:m 

where p is a formula node, r is any node, and m is a type 
node. Such a link says that formula node p represents the 
statement that node r is an instance of the type represented 
by m. 

• A set of subtype links of the form 

q 44> m -< m' 

where q is a formula node and m and m' are type nodes. 
Such a link says that q represents the formula that m is a 
subtype of m', i.e. every instance of m is an instance of m'. 

Let C by the congruence constraint graph derived from a vari- 
able graph V by removing all free variable links, type declaration 
/""*% links, type formula links, and subtype links. We say that C is the 

congruence constraint graph underlying V. 

It may seem that the free variable links are redundant; it seems that 
one could define the free variables of a node in terms of the subexpression 
links discussed in chapter 4. Since a semantic modulation graph is just a 
congruence graph with additional structure these subexpression links are 
part of a semantic modulation graph. Unfortunately the graph may contain 
nodes that represent lambda closures (functions, types, and type generators). 
These nodes represent expressions that contain free variables but these nodes 
are not involved in subexpression links in a way that allows the free variables 
to be determined from the subexpression links. Thus explicit free variable 
links are needed. 

The semantic modulation inference mechanisms manipulate bindings of 
the form n i— > r where n is a variable node. A binding of the form n t-+ r 
can be viewed as an instruction to set the value of the variable n to the 
node r. Changing the value of a given variable forces the values of certain 
other nodes to change. In ordinary predicate calculus changing the value of 
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a variable x causes changes in the meanings of terms that contain a; as a 
free variable; the meaning of expressions which do not contain a; as a free 
variable will not change when x is changed. The situation in Ontic is slightly 
more complex. Suppose that a; is a variable ranging over sets and that y is 
a variable of type (MEMBER-OF x) . In this case changing the meaning of the 
variable x may force a change the meaning of the variable y even though x 
is not a free variable of y. In general if a? is a variable which appears free in 
the type node of of another variable y then we say that y depends on x. This 
notion of dependency can be defined in terms of the structure of a variable 
graph. 



Definition: Let s be a node in a variable graph V and let n be 
a variable node in V. We say that n is a free variable of s just 
in case V contains the free variable link n <C s. We say that s 
depends on n just in case n is a free variable of s or there is some 
free variable n' of s such that the type node of n' depends on n. 

The soundness (or validity) of the semantic modulation inference process 
relies on an additional property of graphs. More specifically, the soundness 
of the semantic modulation inference process requires that the type node of 
a variable n does not depend on n. Intuitively this condition allows one to 
assign the value of a variable without changing the type of the variable. 

Definition: A semantic modulation graph S is a variable graph 
such that for every variable node n the type node of n does not 
depend on n. 

In addition to manipulating truth and color labels, the semantic modu- 
lation inference process manipulates variable bindings. More specifically, a 
state of the semantic modulation inference process contains both a truth and 
color labeling C and a binding set where contains bindings of the form 
n v-> r where n is a variable node. 



Definition: Let S be a semantic modulation graph. A binding 
set over S is a set of bindings of the form n t- > r where n is 
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a variable node and r is any node in S. We say that a variable 
node n in S is bound under /3 if j3 contains a binding of the form 
n t-> r. If n is not bound under (3 then n is called fl-free. 

In order to define the inference relation on semantic modulation graphs 
the notion of dependence needs to be denned relative to a binding set /?. 
Recall that if s depends on n then changing the value of n may force a 
change in the value of 5. Consider a binding of the from n i— > r. In the 
presence of the binding nwr changing the value of r forces a change in 
the value of n; in the presence of the binding n \-+ r the variable n depends 
on r. This observation leads to the notion of /^-dependence where /? is any 
binding set. If 5 /^-depends on n then, in the presence of the binding set /?, 
changing the value of n may force a change in the value of s. The precise 
semantic significance of the following syntactic definition will be discussed in 
more detail in later sections. 



f m%i -. Definition: Let f3 be a binding set over a semantic modulation 

graph S. 

We say that a node s /^-depends on a variable node n if one of 
the following conditions hold: 

• n is a free variable of 5. 

• There exists a free variable n' of s such that n' is bound 
under j3 with binding n' i-> r and r /^-depends on n. 

• There exists a free variable n' of s such that n' is not bound 
under (3, i.e. is /?-free, and the type node for n' /9-depends 

on n. 



I will use the term direct dependence to refer to the standard notion of 
dependence as distinct from /^-dependence. If /3 is empty then /3-dependence 
is the same as direct dependence. In the definition of /9-dependence the 
presence of a binding of the form n i-+ r causes the variable node n to be 
treated as a copy of the node r. 



^***>i 



/"~N 



/~\ 



122 CHAPTER 5. INFERENCE WITH QUANTIFIERS 

The inference relation — >s for semantic modulation graphs operates on 
binding labelings where each binding labeling consists of a truth and color 
labeling together with a binding set. 



Definition: Let 5bea semantic modulation graph. 

A truth and color labeling of S is a labeling £ of the congruence 
constraint graph underlying S. 

A binding labeling T of S consists of a truth and color labeling £ 
of S together with a binding set fi over S. 



Before generating a binding of the form nnr the system must be sure that 
r is an instance of the type of n. More specifically, for any given truth and 
color labeling £ and any node r it is possible to collect a set of types known 
to contain r as an instance. These types are called the established types for 



bf Definition: Let £ be a truth and color labeling of a semantic 
modulation graph S and let r be any node in S. The set of £- 
established-type-nodes for r is the least set of type nodes satisfying 
the following conditions: 

• If there exists a type formula link p <3> r : m in S such 
that £ assigns p the label true then the node m is an £- 
established-type-node for r. 

• If r' is a node which is assigned the same color as r under 
the labeling C then all £-established-type-nodes for r' are 
also £-established-type-nodes for r. 

• If m is an £-established-type-node for r and m' is assigned 
the same color as m under C then m' is also an £-established- 
type-node for r. 

• If m is an £-established-type-node for r and S contains a 
subtype link p^> m -< m' such that £ assigns p the label 
true then m' is an £-established-type-node for r. 
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Before generating a binding of the form nwr the system must be sure 
that this binding can be satisfied. For example suppose that n ranges over 
numbers and consider the binding n i-» n + 1. This binding is well typed 
because n ranges over numbers and n + 1 is always a number. However there 
is no interpretation which assigns n the same number as n + 1. The system 
ensures that a binding of the form n h-» r can be satisfied by checking that 
r does not depend on n, i.e. that it is possible to set the value of n to the 
value of r without changing the value of r. It is now possible to define the 
inference relation — - >$ ■ 



Definition: Let T be a binding labeling of S which consists of 
the truth and color labeling C and the binding set /?. let T' 
be a binding labeling of S which consists of the truth and color 
labeling C' and the binding set f3'. 

/"% We write T— >$ T' if C— >c C where C is the congruence constraint 

graph underlying S and /? = /3' or if there exists a node r in S, 
an £-established-type-node m for r, a variable n of type m such 
that the following conditions hold: 



• v does not /?- depend on n. 

• n is /3-free (i.e. not bound under /?). 

• 0' = (3[J{n i-> r} and C is the truth and color labeling 
which results from C by merging the equivalence classes of 
n and r. 



The bindings generated by — > 5 can not be deduced from information in 
the graph; the process which generates bindings is non-deductive. However 
it is possible to assign semantic meaning to binding labelings of semantic 
modulation graphs in such a way that the relation —>s can be proven to be 
semantically sound. 
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5.2 Semantic Soundness 

This section proves the semantic soundness of the inference relation — >s ■ 
The inference relation —>s is fully specified in section 5.1 and those readers 
not interested in correctness proofs can safely ignore this section. 

Before one can prove a soundness theorem for the relation — »s one must 
define a semantics for semantic modulation graphs. A semantics for a se- 
mantic modulation graph is a set of possible worlds analogous to the possible 
worlds in a model of modal logic. Given this semantics it is easy to state 
the soundness theorem for the inference relation — »$ . The proof of the — >s 
soundness theorem requires the notion of a W-valid binding labeling; the 
relation — >s preserves the W-validity of binding labelings. Unfortunately 
the definition of a W-valid binding labeling is fairly complex. Furthermore 
the proof that — >s preserves W-validity is quite long and has been relegated 
to a separate section. This section defines the semantics of semantic modu- 
lation graphs, states the — *s soundness theorem, and defines the notion of 
f^ W-validity which is preserved by — *s • 



5.2.1 Semantics 

Semantic modulation graphs have a more sophisticated semantics than any 
of the graphs used for purely quantifier free inference. The soundness results 
for Boolean constraint graphs, equality constraint graphs and congruence 
constraint graphs were stated in terms of a single possible world w. On the 
other hand the soundness result for semantic modulation graphs is stated 
in terms of a set W of possible worlds. The set W of possible worlds is 
analogous to a semantic model of a modal logic. 

The graphs generated by the Ontic compiler have an intended semantics 
which is a special case of the general semantics defined in this section. Each 
node in a graph generated by the Ontic compiler is associated with an expres- 
sion in the formal language Ontic. Expressions in the language Ontic have a 
semantics which is defined in terms of a universe of sets. More specifically, 
the meaning of an Ontic expression is defined relative to a universe and an 
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interpretation of each variable as an object in that universe which is an in- 
stance of the type of the variable. Consider a fixed universe and consider all 
the type-respecting variable interpretations over that universe. Each type- 
respecting variable interpretation over a fixed universe determines a truth 
value for every Ontic formula and a meaning (value) for every Ontic expres- 
sion. The meanings can be treated as colors and thus each type-respecting 
variable interpretation provides a truth and color labeling the graph gener- 
ated by the Ontic compiler. Each such truth and color labeling is complete in 
that every formula node has a truth label. The set of truth and color label- 
ings that correspond to the different type-respecting variable interpretations 
over a fixed universe determines a set W of possible worlds. 



Definition: Let 5bea semantic modulation graph. 

A semantics for for S is a set W of possible worlds (complete 
truth and color labelings) for nodes in S together with a binary 
relation ":" on the color labels that appear in words in W. 

The semantic domain of a semantics W for S is the set of all 
color labels which appear in the worlds in W. 

If c and c' are colors in the semantic domain of a semantics W 
and if c:c' (i.e. c is related to c' under the relation ":") then we 
say that c is an instance of the type color c'. 

A color c in the semantic domain of a semantics W is called a type color if 
there exists a type node m and a world w in W such that m has color c in w. 
The relation ":" on colors allows a type color (or any color) to be viewed as a 
set. More specifically a type color c can be viewed as the set of all instances 
of c. Worlds assign colors to type nodes. Thus each world provides a way of 
interpreting each type node as a set; the set associated with type node m in 
world w is the set of all instances of the color of m in w. Note that the set 
associated with a given type node can be different in different worlds. 



Definition: The color c is said to be an instance of a type node 
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m in a world w just in case c : c m where c m is the color of m in 
the world w. 

A type node m is said to be a subtype of a type node m' in world 
w just in case every instance of m in w is also an instance of ra' 
in w. 

Variables are nodes whose interpretation can be varied. More specifically 
suppose that n is a variable node with type node m. Furthermore suppose 
that w is a world such that c is an instance of the type of m in w. In this case 
it should be possible in interpret the variable n as the color c, i.e. one should 
be able to assign n the value c. Changing the interpretation of a variable n 
forces changes in the interpretation of expressions that depend on n. These 
intuitions are formally captured in the following semantic definition of an 
assignment. 

Definition: Let W be a semantics for a semantic modulation 
I s graph S. 

We say that two worlds w and w' in W agree on a node s if w 
and w' assign 5 the same color label and if s is a formula node 
then w and w' assign s the same truth label. 

Let n be a variable node in S, let c be a color in the semantic 
domain of W, and let w be any world in W. An assignment of 
n to c in w is a world w[n := c] which assigns n the color c and 
which agrees with w on all nodes that do not depend on n. 

The links in a semantic modulation graph can be viewed as constraints 
on possible worlds. More specifically a semantics W is called a satisfactory 
semantics for a semantic modulation graph S if the information in the links 
in S holds true under the semantics W. 



Definition: We say that a semantics W for a semantic modu- 
lation graph S is a satisfactory semantics for S if the following 
conditions hold: 
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• Every world in W satisfies the congruence constraint graph 
underlying S. 

• The labels of a node are determined by the labels of the 
free variables of that node, i.e if w and w' are two worlds in 
W such that w and w' agree on all free variables of a node 
s, then w and w' agree on s (in particular if s has no free 
variables then all worlds in W must agree on s). 

• If p <w- r : m is a type formula link in S and w is a world in 
W then w assigns p the label true just in case the color of 
r in w is an instance of m in w. 

• If p •£>■ m -< m' is a subtype link in S and w is a world in W 
then w assigns p the label true just in case mis a subtype 
of m' in W. 

• If n is a variable node of type m and c is an instance of m 
in a world w then VV contains an assignment w[n := c] of n 

/""""S to c in w. 

It is now possible to state the main soundness theorem of this section. The 
proof of this theorem is long and complex and is given in the next section. 



—*s Soundness Theorem: Let W be a satisfactory semantics 
for a semantic modulation graph S. Let T be a binding labeling 
with an empty binding set such that every world in W satisfies 
the truth and color labeling of T. Now suppose T —+5 * T' where 
T' has binding set (3 and labeling £'. If p is a formula node that 
is labeled true under £', and p does not depend on any variable 
bound under /?, then p must be labeled true in all worlds in W. 



5.2.2 The Proof of the — ►$ Soundness Theorem 

The proof of the semantic modulation soundness theorem relies on the con- 
struction of a complex property, or induction hypothesis, that is preserved 
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under the relation —*s . More specifically, given a satisfactory semantics W 
for a semantic modulation graph S we define the notion of a W-valid bind- 
ing labeling and prove that — *,s preserves W-validity. A binding labeling 
is W-valid if its binding set is W-legal and the equations represented by its 
binding set imply the constraints in its labeling. The notion of a W-legal 
binding set is quite complex. First of all every W-legal binding set must be 
universally satisfiable in the following sense. 

Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S and let ft be a binding set over S. 

A world w in W satisfies the binding ft if for every binding n i-* r 
in /?, the world w assigns n and r the same color label. 

The binding set ft is W -universally-satisfiable if for every world w 
in W the semantics W also contains a world w[ft] such that w[ft] 
satisfies ft and agrees with w on all nodes that do not depend on 
^•""S any variable bound under ft. 

It is interesting to note that a binding set can be type respecting but still 
not be universally satisfiable in the above sense. For example suppose that n 
is a variable node that ranges over all numbers. The expression n + 1 always 
denotes a number. Thus the binding n \-* n + 1 is type respecting. However 
there is no world in which n equals n + 1 and so the binding n i-+ n + 1 is 
not satisfiable. 

If one could prove that — *•$ preserves the universal satisfiability of binding 
sets and preserves the fact that a binding labeling's binding set implies the 
constraints in its labeling then one could prove the —*s soundness theorem. 
Unfortunately the notion of a universally satisfiable binding set does not 
provide a strong enough induction hypothesis; to prove that — >s preserves 
the universal satisfiability of binding sets it is necessary to prove that — >s 
preserves a stronger property of binding contexts. This stronger property is 
called W-legality. Before defining W-legality however we need the notion of a 
/^-assignment. In the presence of a binding set /? we are only concerned with 
those worlds that satisfy ft. More specifically if w is a world that satisfies ft 
then we are interested in finding assignments w[n := c] that also satisfy ft. 
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Definition: Let ft be a binding set over a semantic modulation 
graph S and let tobea world in a satisfactory semantics W for 
S. Let n be a variable node in S and let c be a color in the 
semantic domain of W. A ft-assignment of n to c in w is a world 
w[ft, n :— c] which satisfies ft, assigns n the color c, and which 
agrees with w on all nodes that do not ^-depend on n. 

Of course the above definition does not guarantee that that /3-assignments 
exist whenever c is an instance of the type of n. It turns out however that — »s 
preserves the property that if n is not bound under ft then /^-assignments 
exist for n. Recall that variables which are not bound under ft are called 
ft-ivee. 



Definition: Let ft be a binding set over a semantic modulation 
graph S and let W be a satisfactory semantics for S. We say 
that ft -assignments exist in W if for every world w in W, every 
/?-free variable node n in S, and every instance c of the type of n 
in world w under semantics W, the semantics W also contains a 
ft- assignment w[ft, n := c] of n to c in w. 

There are universally satisflable binding sets which do not have the prop- 
erty that /^-assignments exist. However, the existence of ^-assignments is 
one of the properties preserved under the relation — ►$ . The relation — >s 
preserves a property called W-legality. A binding set ft is W-legal if it is 
universally satisfiable, /^-assignments exist, and there are not /^-dependency 
loops as defined below. 



Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S, let ft be a binding set over S. 

A ft -dependency-loop is a variable node n such that either n is 
bound under ft with binding n t— > r and r /5-depends on n or n is 
ft -free and the type node of n /^-depends on n. 
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We say that the binding set ft is W-Iegal if there are no ft- 
dependency loops, ft is W-universally-satisfiable, and /^-assignments 
exist in W. 

The notion of a W-legal binding set leads to the notion of a W-valid 
binding labeling. A binding labeling is W-valid if its binding set is W-legal 
and its color and truth labeling is implied by its binding set, i.e. every world 
which satisfies its binding set also satisfies its labeling. 



Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S. A binding labeling T is called W-valid if 
the binding set of T is W-legal and every world in W which 
satisfies the binding set of T also satisfies the labeling of T. 

It is now possible to state the main theorem of this section: the relation 
preserves W- validity. 
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—*s Preservation Theorem: Let W be a satisfactory seman- 
tics for a semantic modulation graph S. If T is a W-valid binding 
labeling and T— >$ T', then T' is also W-valid. 

Before giving the proof of the — »s preservation theorem it is important to 
note that the —+5 preservation theorem implies the — >$ soundness theorem. 
More specifically consider an initial binding labeling T, i.e. a binding labeling 
with an empty binding set and such that every world in the satisfactory 
semantics W satisfies the labeling of T . It is easy to show that any such 
initial binding labeling is W-valid. Now suppose T — >s* T' and consider a 
formula node p which is labeled true under the labeling of T' and such that 
p does not (directly) depend on any variable bound under the binding set 
of T'. We must show that the inference relation — *$ is sound in the sense 
that under these conditions all worlds in W label p true. To prove the —*s 
soundness theorem we must show that all worlds in W label p true. Consider 
any world w in W. The —+5 preservation theorem implies that T' is W-valid 
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and thus the binding set of T' is W-legal. Let ft be the binding set of T the 
binding set ft is universally satisfiable and so there exists a world w[ft] that 
satisfies ft and that agrees with w on all nodes that do not (directly) depend 
on variables bound under ft. Since T is W-valid, and since w[ft] satisfies ft, 
w[ft] satisfies the labeling C which labels p true. Thus w[ft] labels p true. 
But since p does not depend on any variables bound under ft, w[ft] must 
agree with w on p. Thus w must label p true. Thus the — >s preservation 
theorem implies the — >s soundness theorem. 



5.3 Proof of the — *$ Preservation Theorem 

This section can safely be ignored by those readers not interested in correct- 
ness proofs. 

The proof of the — >•£ preservation theorem is fairly long and complex. 
Most of the complexity of this theorem results from the definition of /in- 
dependence. The above definition of /^-dependence implies that /^-dependence 
is non-monotonic in ft; the addition of a binding hht can remove as well 
as add dependencies. In particular, suppose s directly depends on n, i.e. 
s depends on n relative to the empty binding set. Further suppose that n 
directly depends on n'. This this case s depends on n' in such a way that 
the dependency from s to n' passes through the node n. If the dependency 
from s to n' passes through the node n then the binding hht can "erase" 
this dependency; it is possible that s /^-depends on n' when ft is empty but 
s does not /3-depend on n' if ft consists of the single binding n 1— > r. Thus 
the /5-dependence relation is non-monotonic in ft; adding bindings to ft can 
remove dependencies. 

There is a simpler, monotonic, notion of /3-dependence which I will call 
weak-/?-dependence. A node s weakly-/?-depends on a variable n if either s 
directly depends on n or there is a binding n' 1— >■ r in ft such that s weakly- 
/3-depends on n' and r weakly-/?-depends on n. In the current discussion I 
will use the term strong-/?-dependence to refer to the notion of /^-dependence 
that has been used used in the definition of — >s and the definition of a W- 
legal binding set. Strong-/?-dependence implies weak-/?-dependence but the 
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converse does not hold; it is possible that s weakly-/9-depends on n but that 
s does not strongly-/?-depend on n. Weak-/?-dependence is monotonic in ft; 
adding bindings monotonically increases dependencies. 

If weak-/?-dependence had been used rather than strong-/?-dependence 
the relation — >$ would still preserve W- validity and the proof of the preser- 
vation theorem would be much simpler. Unfortunately the use of weak-ft- 
dependence would not allow as many bindings under the relation — »s . Fur- 
thermore, strong-/?-dependence provides a stronger universal generalization 
inference mechanism. Universal generalization is discussed later. 

Under strong-/?-dependence the proof of the — >s preservation theorem 
is long and complex. The proof is divided into four parts. The first two 
parts introduce two concepts needed in the proof: ^-dependency-paths and 
minimal/?-assignments. The third part contains the proof itself. This proof 
relies on the first minimal assignment lemma which is stated but not proven 
in the section on minimal assignments. The fourth part of the proof consists 
of a proof of the first minimal assignment lemma. 
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5.3.1 /3-Dependency-Paths 

Before proving the — *s preservation theorem it is useful to prove certain 
lemmas involving the notion of (strong) /^-dependence. The following def- 
inition and lemma provide an alternative characterization of the notion ft- 
dependence. 



Definition: Let ft be a binding set over a semantic modulation 
graph S. A /3-dependency-path is a sequence <ni, n 2 , ...nk> 
each n,i is a variable node and for each pair n;, n 4+ i in the path 
one of the following two conditions hold. 

• rii is ft-fxee and n t+ i is a free variable of the type node of n;. 

• rii is bound under ft by virtue of the binding n; i— > r and 
rii+i is a free variable of the node r. 



f"^, 



^ 5.3. PROOF OF THE ^ s PRESERVATION THEOREM 133 

If 5 is node in S such that n\ is a free variable of s then the /?- 
dependency-path <ni, ra 2 , . . . n^> is said to be a /3-dependency- 
path from node s to the variable nfc. 

Lemma: If /? is a binding set over a semantic modulation graph 
S, s is any node in S, and n is a variable node in S then s {$- 
depends on a n just in case there exists a ^-dependency-path from 
s to n. 

Lemma: There are no /3-dependency-loops just in case there is 
no /?-dependency-path of length greater than 1 that begins and 
ends with the same variable node. 



The characterization of /^-dependence in terms of /^-dependency paths 
makes it easier to verify certain facts about /^-dependency. The following 
lemma precisely characterizes the non-monotonic nature of /^-dependency. 
This non-monotonicity lemma is will be important in the proof of the —>$ 
preservation theorem. 
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Non-Monotonicity Lemma: Let /? be a binding set over a 
semantic modulation graph S. Let n i— ► r be a binding such that 
r does not /3-depend on n and let /?' be the binding set which 
results from adding the binding n i-> r to /?. Now let s be any 
node and let n' be any variable node. If s /^-depends on n' but s 
does not /5'-depend on n' then every /^-dependency path form s 
to n' must include n and r must not /^-depend on n' . 

Proof: Suppose s /^-depends on n' but that 3 does not /^'-depend 
on n' . It is easy to show that every /^-dependency path from s to 
n' includes n. More specifically if there existed a /3-dependency- 
path from s to n' that does not include n then this path will 
also be a /3'-dependency-path and thus s would /^'-depend on n'. 
Now I will show that r does not /^-depend on n' . Suppose r did 
/^-depend on n'. In this case there exists a /?- dependency-path 
from r to n' . The conditions of the lemma state that r does not 
/?- depend on n and thus the /?- dependency path from r to n' does 
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not include n. Thus this path is also a /?'- dependency path and 
so r also /^'-depends on n'. Furthermore, since 5 /^-depends on n' 
there must exist a /?-dependency-path from s to n' and, by the 
above comments, any such path must include n. Consider the 
shortest possible /^-dependency path from r to n. This path only 
involves n as the last node in the path and thus it is also a /3'- 
dependency path. The ^'-dependency-paths from s to n and from 
r to n' can be combined to yield a ^'-dependency-path from s to 
n'. But this violates the assumption that s does not ^'-depend 
on n'. Thus r must not /3-depend on n'. 



5.3.2 Minimal-/?- Assignments 

Intuitively one would like an assignment of the form n := c to alter as few 
nodes as possible. For example suppose that n is a variable node that ranges 
over numbers and that n' is a variable node that ranges over numbers which 
are greater than n. Since n is a free variable of the type of n', the variable 
j**y node n' depends on the variable node n. Now suppose wis a world in which 

n is 2 and n' is 5 and consider the assignment n := 4. Since n' depends 
on n the assignment n := 4 is allowed to change the value of n'. In this 
case however such a change is not needed; the old value of n', the number 
5, is still an instance of the type of n' when n is set to the number 4. A 
minimal-/?-assignment is a /^-assignment that changes only those parameters 
whose values must be changed. 



Definition: Let {3 be any binding context over a semantic mod- 
ulation graph S and let n be any variable node in S. A /?- 
supervariable of n is denned to be any /?-free variable other than 
n that /9-depends on n. 

Let /? be a binding set over a semantic modulation graph <S, let 
w be a world in a satisfactory semantics W for S, let n be a 
/9-free variable node in S and let c be an instance of the type 
of n in world w under semantics W. A minimal-^ -assignment 
w[fl, n := c] of n to c in world toisa /^-assignment w[f3, n := c] 
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of n to c in w such that if n' is a /3-supervariable of n and the 
color of n' under w is an instance of the type of n' in w[/3, n := c] 
then w[fi, n := c] agrees with w on n' . 

Let fl be a binding set over a semantic modulation graph S and 
let W be a satisfactory semantics for S. We say that minimal- 
ly -assignments exist in W if for every world w in W, every /9-free 
variable node n in S and every instance c of the type of n in 
to under semantics W, the semantics W contains a minimal-/?- 
assignment of n to c in u>. 

First Minimal Assignment Lemma: Let j3 be a binding set 
over a semantic modulation graph S and let W be a satisfactory 
semantics for S. If /^-assignments exist in W and there are no 
/^-dependency loops then minimal-/?-assignments exist in W. 

The first minimal assignment lemma is proved by via a conceptual pro- 
cedure for constructing minimal assignments. A minimal assignment can be 
/""N found by first making an arbitrary assignment and then "fixing up" the su- 

pervariables that were needlessly changed by the assignment. The full proof 
of the first minimal assignment lemma is fairly long and cumbersome and is 
relegated to its own section so that it can be easily avoided by the reader. 



Second Minimal Assignment Lemma: Let fl be a binding 
set over a semantic modulation graph S. Let to be a world in a 
satisfactory semantics W for S such that w satisfies /?. Let n be 
a variable node in S, let c be a color in the semantic domain of 
W and let w[(3, n := c] be a member of W that is a minimal- /?- 
assignment of n to c in w. If s is a node in S such that w and 
w[/3, n := c] disagree on 5, and if there are no /^-dependency loops 
then there exists a /?-dependency-path from s ton such that w 
and w[(3, n := c] disagree on every node in that path. 

Proof: If there are no /3-dependency-loops then no /^-dependency 
path is longer than the number of nodes in the graph S. Thus 
there is an absolute maximum length for ^-dependency-paths. 
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For any member s of D let the ft -path-distance from s to n be the 
maximum length of any /?-dependency-path from s to n. 

Let D be the set of all nodes s such that w and w[ft, n := c] 
disagree on 5. Since w[ft, n := c] is a /3-assignment of n to c in 
w, if w and w[/3, n := c] disagree on s then 3 must /^-depend 
on n. Thus if s is in D then there exists a /3-dependency-path 
from s to n. Now consider an arbitrary member s of D. We 
must show that there exists a ^-dependency-path from s to n 
such that the entire path is contained in D. It suffices to show 
that there exists a ^-dependency-path contained entirely in D 
from s to some node closer to n; a path in D from s to n can 
be constructed from smaller paths that always get closer to n. 
Since W is a satisfactory semantics for S the labels of a node 
are determined by the color labels of the free variables of that 
node. Thus if s is in D, i.e. if w and w[ft, n := c] disagree on s, 
then there must be some free variable n' of s which is also in D. 
Furthermore the ^-path-distance from n' to n must less than or 
equal to the /?-path-distance from s to n. If n' equals n then the 
singleton path <n'> is a /5-dependency-path from s to n which 
is contained entirely in D. So suppose n' is not equal to n. Now 
there are two cases. First suppose that ft contains a binding of 
the form n' t-* r. Since both w and w[ft, n := c] satisfy ft both 
worlds assign the same color to n' and r and since n' is in D, 
r must be in D. But since r is in D some free variable n" of r 
must be in D. But <n', n"> is a /3-dependency path contained 
entirely in D from s to n" and n" must be closer to n than s under 
/?-path-distance. Now suppose that n' is ft-iree. In this case n' 
is a /?-supervariable of n. Furthermore since n' is in D and since 
w[ft, n := c] is a mm«ma/-/?-assignment of n to c in to, the color of 
n' in w[ft, n := c] must not be an instance of the type of n in w. 
This implies that the type of n' in w[ft, n := c] is different from 
the type of n' in w. But since Wis a satisfactory semantics the 
type of a variable is determined by the color of the type node of 
that variable. Thus the type node of n' must be in D. But this 
implies that some free variable n" of the type node of n' is also 
in D. In this case <n', n"> is the desired /?-dependency-path in 
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D from s to a node which is closer to n under /3-path-distance. 

5.3.3 The -*$ Preservation Theorem 

Except for the proof of the first minimal assignment lemma, the ground- 
work has now been laid for the proof of the -+ 5 preservation theorem. The 
theorem uses a simple lemma about £-established-type-nodes. 



Lemma: Let W be a satisfactory semantics for a semantic mod- 
ulation graph S, let £ be a truth and color labeling of S and let w 
be a world in W such that w satisfies £. If m is an £-established- 
type-node for a node r of S then the color of r in the world w is 
an instance of m in w. 



The above lemma follows directly from the definition of a £-established- 
type-node and the definition of a satisfactory semantics for a semantic mod- 
ulation graph; the proof is left to the reader. Given this lemma we can now 
prove the — >s preservation theorem. 



Proof of the -> 5 Preservation Theorem: Suppose that T is 
W-valid and that T-* s T'. We must show that T is W-valid. 
First suppose that the binding set of T is the same as the binding 
set of T. In this case let (3 be the binding set of T and let £ and 
£' be the labelings of T and T respectively. Since the binding 
set of T also equals j3 it is clear that the binding set of T is 
W-legal. Now let w be any world in W that satisfies /?. To show 
that T' is W-valid it suffices to show that w satisfies £'. Because 
T is W-valid, w must satisfy £. Furthermore it follows from the 
definition of ->$ that if the binding set of T equals the binding 
set of T then £— > c £' where C is the congruence constraint graph 
underlying S. But now the soundness of -» c implies w satisfies 
£'. 
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Now suppose that the binding set of T' is different from the 
binding set of T. Let ft and ft' be the binding set of T and 
T' respectively and let C and C' be the labelings of T and T' 
respectively. It follows from the definition of — >5 that ft' equals 
ft{J{n t-> r} where n is a ft-ivee variable of type m, m is an 
£-established-type-node for r, and r does not /3-depend on n. 

First consider any world w that satisfies the binding set ft'. 
We must show that w satisfies £'. Since w satisfies ft it must 
also satisfy the labeling C. Since w satisfies the binding n h-» r 
it must assign n and r the same color. Thus w must assign all 
nodes which are equivalent to n under C and all nodes which are 
equivalent to r under C the same color. The labeling £ is the 
labeling derived from C by merging the equivalence classes of n 
and r. Thus w satisfies £'. 

Next I will show that there are no ^'-dependency-loops. The 
proof is by contradiction. Suppose there were a /?'-dependency- 
loop. In this case there is a /?'-dependency-path of length greater 
than 1 from a variable node to itself, i.e. a loop. This loop must 
involve the node n because otherwise it would be a /?-dependency- 
loop and by assumption there are no such loops. But ft' contains 
the binding nnr and thus if there exists a ^'-dependency-loop 
that involves n there must exist a /^'-dependency path from r to 
n. Consider a particular /^'-dependency path from r to n. The 
node n might occur multiple times in this path. Consider the 
subpath of this path that ends with the first occurance of n. This 
subpath is a /^-dependency path. But by assumption there are 
no ^-dependency-paths from r to n. 

Now I will show that ft' is W-universally-satisfiable. Let w be 
any world in W. Since ft is universally satisfiable there exists a 
world w[ft] which satisfies ft and which agrees with w on all nodes 
that do not depend on any variable bound under ft. Because T is 
W-valid and w[ft] satisfies ft, w[ft] must also satisfy C. Because 
m is an £-established-type-node for r and w[ft] satisfies C, the 
color of r in w[ft] must be an instance of m in w[ft]. Let c be 
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the color assigned to r in the world w[/3]. Because /3- assignments 
exist there exists a /^-assignment to [/?][/?, n := c] of n to c in w[/3]. 
Since r does not /^-depend on n the world u; [/?][/?, n := c] must 
assign r the color c. Thus, in addition to satisfying /?, the world 
iw [/?][/?, n := c] also satisfies the binding n i— ► r and thus this 
world satisfies /?'. It remains only to show that u; [/?][/?, n := c] 
agrees with w on all nodes that do not directly depend on any 
variable bound under /?'. Let s be such a node. There does not 
exist any direct dependency path from 5 to a node bound under 
j3'. Therefore there can not exist any /^-dependency path from 
s to n because any such path would either be a direct path or 
would include a direct path to some node bound under /?'. Thus 
s does not ^-depend on n and thus «;[/?][/?, n := c] and w[fi] must 
agree on s. But by the definition of w[/3], w[/3] must agree with 
w on s. 

Finally I will show that /?'- assignments exist. Let w be any 
world in W that satisfies /?', let n' be a /?'-free variable and let c be 
an instance of the type of n' in the world w under the semantics 
W. We must construct a /^'-assignment w[/3', n' := c] of n' to c 
in w. Recall that /?' differs from f3 in that /3' contains the one 
additional binding n i— > r. The world to[/?', w' := c] is constructed 
in one of three different ways depending on which, if any, of the 
nodes n and r /^-depend on n'. In all three cases the construction 
begins by considering a /^-assignment w[0, n' := c] of n' to c in 
to. Unfortunately the world w[/3, n' := c] need not satisfy the 
binding n \- > r. Furthermore, and more seriously, in one of the 
three cases /^-dependence is non-monotonic; there may be a node 
s which /^-depends on n' but does not /^'-depend on n' . In this 
case w[/3, n' := c] may disagree with wons even though s does 
not /^'-depend on n' . 

First consider the case where neither n nor r ^-depend on 
n'. Since W is a satisfactory semantics for S, VV contains a /?- 
assignment w[/3, n' :=■ c] of n' to c in w. In this case w[/3, n! := c] 
is also a /?'- assignment of n! to c in w. To see this first note that 
w[/3, n' := c] satisfies the binding n i— > r. More specifically, by 
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assumption w satisfies n v- > r and since neither n nor r /^-depend 
on n', w[/3, n' := c] also satisfies nnr, Furthermore the non- 
monotonicity lemma implies that in this case every node which 
/^-depends on n' also /^'-depends on n' . Every node on which w 
and w[/3, n' := c] disagree must ^-depend on n' and therefore 
every such node must /^'-depend on n'. 

Now suppose that r /^-depends on n' . Since /5 is W-legal, W 
contains a ^-assignment w[/3, n' := c] of n' to c in w. Since T is 
W- valid and since w[/3, n! :— c] satisfies /?, the world w[/3, n' := c] 
satisfies C. However w[/3, n' := c] need not satisfy the binding 
n i— > r; the assignment to n' may change the value of r. In 
this case we satisfy the binding n t-> r by reassigning n. More 
specifically let c r be the color assigned to r in the world w\fi, n' := 
c]. Since the type node for n is an £-established-type-node for 
r, the color c r must be an instance of the type node of n in the 
world w[/3, n' := c}. Thus W contains a /5-assignment w[(3, n' := 
c][/3, n := Cr] of ra to c r in tw[^, n' := c], I will show that w[/3, n' := 
c][)9, n := c r ] is the desired ^'-assignment of n' to c in w. Since 
r does not /^-depend on n the world w[/3, n' := c][/3, n := c r ] 
assigns r the color c r and thus this world satisfies the binding 
n i— > r. Furthermore one can show that n' does not ^-depend 
on n. More specifically, in this case r /^-depends on n' so if n' /?- 
depended on n and then r would /^-depend on n which is ruled out 
by the conditions governing the generation of bindings. Since n' 
does not /^-depend on n the world w[/3, n' := c]\j3, n := c r ] assigns 
n' the color c. Finally consider some node s such that w[/3, n' := 
c][/3, n := Cr] disagrees with w on s. We must show that s /?'- 
depends on n' . Note that in this case either w and w[fl, n' := c] 
disagree on s or w[/3, n' := c] and tu[/?, n' := c][ft, n := c r ] must 
disagree on s. First note that if w[/3, n' := c] disagrees with w 
on s then s must /^-depend on n'. The non-monotonicity lemma 
implies that if r /^-depends on n' then every node which /^-depends 
on n' also /^'-depends on n'. Thus if w[/3, n' := c] disagrees with 
toons then s ^'-depends on n' . Now suppose that w[f3, n' := c] 
and w[(3, n' := c][(3, n := c r ] disagree on s. In this case s must j3- 
depend on n. Furthermore, one can show that s /^'-depends on n; 
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since there are no ^-dependency-loops a /3-dependency-path from 
s to n involves n as a the final node and therefore any such path 
is also a /?'- dependency path. Furthermore, since r /3-depends on 
n' but does not /?-depend on n there exists a /^-dependency path 
from r to n' that does not involve n. The path from r to n' is 
also a /?'- dependency path. Thus there is a /^'-dependency path 
from s ton'. 

Now consider the non-monotonic case where n /?- depends on 
n' but r does not ^-depend on n' '. Since /^-assignments exist in 
W, minimal /^-assignments also exist in W. Thus W contains a 
minimal /9-assignment w[/3, n' := c] of n' to cintu. I will show 
that this minimal /3-assignment is the desired ^'-assignment of 
n' to c in w. Since r does not /?- depend on n' the worlds w and 
w[/3, n' := c] agree on r; let c r be the color assigned to r in either 
world. By the argument given above c r must be an instance of 
the type of n in the world w[fi, n' := c]. Now by the definition 
of minimal-/3-assignments the world w\fi, n' :— c] must assign n 
f*^. the color c r . Thus w[/3, n' := c] satisfies the binding n \-+ r. 

Now consider a node s such that w and w[/3, n' := c] disagree 
on s. By the definition of /3-assignments s must /^-depend on 
n'. Now suppose that 5 does not /^'-depend on n'. In this case 
the non-monotonicity lemma implies that every /3-dependency- 
path from 5 to n' includes the node n. But the second minimal 
assignment lemma implies that if w and w[/3, n' := c] disagree on 
s then there exists a /9-dependency-path from s to n' such that 
w and w[fi, n' := c] disagree on every node in the path. But 
this is impossible because every ^-dependency-path from s to n' 
includes n and it has been shown that w and w[0, n' := c] agree 
on n. 



5.3.4 Proof of the First Minimal Assignment Lemma 

Intuitively, minimal-/?-assignments exist because there exists a conceptual 
procedure for constructing them. The procedure takes an arbitrary assign- 
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ment and "fixes up" variables that were unnecessarily changed. Variables 
are fixed up using a recursive procedure for targeted assignment. 

Definition: Let /?bea binding set over a semantic modulation 
graph S. Let w and w' be worlds in a satisfactory semantics 
VV for S such that both w and w' satisfy /?. Let n be a /3-free 
variable node, let c be an instance of the type of n in the world 
w. A targeted-fi -assignment of n to c in w with target w' is a 
/^-assignment w[(3, n := c] of n to c in w such that if n' is a (3- 
supervariables of n and the color of n' under the target world w' 
is an instance of the type of n' in w[j3, n :— c] then w[j3, n := c] 
agrees with the target w' on n' . 

A procedure for computing targeted assignments can be used to compute 

minimal assignments; a minimal assignment is just a targeted assignment 

where the target equals the world in which the assignment is done. More 

^y specifically, to prove the first minimal assignment lemma it suffices to prove 

that targeted assignments exist. 



Definition: Let /? be a binding set over a semantic modulation 
graph S, let W be a satisfactory semantics for S and let n be a 
/?-free variable node in S. 

We say that targeted-/^ -assignments exist for n in W if for all 
worlds w and w' in W and all colors c which are instances of the 
type of n in w under the semantics W, the semantics W contains 
a targeted-/3-assignment of n to c in w with target w'. 

We say that targeted- f3 -assignments exist in W if for every /?-free 
variable node n in S targeted-/?-assignments exist for n in W. 



The conceptual procedure for computing a targeted assignment of n to c 
takes an arbitrary assignment of n to c and recursively "fixes" the immediate- 
/?-supervariables of n. Recall that a /?-supervariable of n is a /?-free variable 
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node n' other than n which /^-depends on n. If there are on /?-dependency- 
loops then the notion of /^-dependence determines a partial order on variable 
nodes. If n' /3-depends on n then we can picture n! as being above n. The 
immediate- /9-supervariables of n are the least members (under /^-dependence) 
of the /?-supervariables of n. 



Definition: Let /3 be a binding set over a semantic modulation 
graph S. Let n be a /?-free variable node in S. 

An immediate- 0-supervariable of n is a /?-supervariable n' of n 
such that there is no variable in between n' and n, i.e. there is no 
/?-supervariable n" of n such that n' is a /?-supervariable of n". 

Observation: No two immediate- /3-supervariables of n /9-depend 
on each other, i.e. if n' and n" are distinct immediate- /?-supervariables 
of n then n' does not /?-depend on n". 

r' Observation: If there are no ^-dependency-loops then every /?- 

supervariable of n is either an immediate-/?-supervariable of n or 
is a /3-supervariable of some immediate-^-supervariable of n. 



The conceptual procedure for recursively computing targeted assignments 
always terminates because the recursive calls always involve variables of lower 
depth and no variable has depth less than 1. The depth of a variable is defined 
as follows: 



Definition: Let fl be binding set over a semantic modulation 
graph S such that there are no ^-dependency-loops. For each 
variable node n let the {3-depth of n be the length of longest fi- 
dependency path ending at n. 

Observation: If fi is a binding set over S such that there are no 
^-dependency-loops and n is a /3-free variable node in S then all 
/?-supervariables of n have smaller /?-depth than n. 
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The recursive conceptual procedure for computing targeted assignments 
can be expressed as an induction proof that targeted assignments exist. The 
proof is by induction on the /3-depth of variable nodes. 



Lemma: Let /? be a be a binding set over a semantic modulation 
graph S such that there are no ^-dependency-loops and let W 
be a satisfactory semantics for <5 such that /^-assignments exist 
in W. Under these conditions targeted /^-assignments also exist 
inW. 

Proof: I will show by induction on the depth of variable nodes 
that for all variable nodes n, if n is /?-free then targeted assign- 
ments exist for n in W. Every variable node in S has a /?-depth 
of at least 1 (the singleton path <n> is always a dependency 
path). Suppose that n has depth 1. In this case there are no 
/3-supervariables of n and thus any assignment of n to c satisfies 
the definition of a targeted assignment. Thus if n is /3-free and 
has depth 1 then targeted /^-assignments exist for n in W. Now 
suppose that n is a variable of depth k where k is greater than 1 
and targeted-/?-assignments exist in W for all /?-free variables of 
depth less than k. Now suppose that n is /?-free and let w and 
w' be worlds in W that satisfy /3. Let c be a color which is an 
instance of of the type of n in the world w. We must show that 
W contains a targeted-/?-assignment of n to c in w with target w'. 
Since /^-assignment exist in W there exists a world w[/3, n := c] 
in W which is a /^-assignment of n to c in w. Let ni,n 2 , . . .n^ 
be the immediate- /3-supervariables of n and let c\, c 2 , . . . Ck be the 
target colors for ni, n 2 , . . . n^, i.e. c 8 - is the color of n 4 - in the target 
world w'. Each variable n,- has smaller depth than n so by the 
induction hypothesis targeted-/?-assignments exist in W for each 
rii. Let w ,Wi,w 2 ,. . .w n be worlds in W defined as follows: w 
equals w[/3, n := c]. If c; is an instance of the type of rc; in the 
world w 8 _! then Wi is a targeted- /^-assignment w;_i[/?, n 4 - := c;] of 
rii to c; in Wi^i with target u/. If c,- is not an instance of n; in the 
world iu 8 -_i then u^ is a targeted-/?-assignment w^i[/3, rii '■= h] 
with target w' where 6,- is the color of n t - in w 8 _i with target u;' 
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(this targeted-/?-assignment fixes the /?-supervariables of n,-). I 
will now show that Wk is the desired targeted-/?-assignment of n 
to c in w with target w'. 

Consider an arbitrary /?-supervariable n' of n and let c t be the 
target color for n', i.e. the color assigned to n' by the target world 
w' . We must show that if the target color c t is an instance of the 
type of n' in the world u>k then Wk in fact assigns n' the target 
color Ct. So suppose that c t is an instance of the type of n' in the 
world Wk- Now there are two cases. The variable n' is either an 
immediate- /?-supervariable of n or n' is a /?-supervariable of some 
immediate-/?-supervariable of n. 

First consider the case where n' is an immediate- /?-supervariable 
n, of n and let m; be the type node of n;. The type node ra; must 
not /^-depend on any immediate-/?-supervariables of n and thus 
for all < j < k the world Wj must agree with Wk on the type 
node raj. In particular u>;_i must agree with Wk on m»-. By as- 
^<S i sumption the target color c* is a member of the type of n; in the 

world u»fc and so c t must also be a member of the type of n; in the 
world Wi-\. Thus Wi is a target assignment tw,-_i[/?, nj := c t ] of n, 
to its target color in w^x with target w'. Thus n,- is assigned the 
target color c t in the world Wi. Furthermore ni does not ^-depend 
on any other immediate /?-supervariables of n and thus w^ must 
agree with Wi on n t - and thus Wk must assign n 8 - the target color 
ct- 

Now suppose that n' is a ,5-supervariable of one or more of the 
immediate- /9-supervariables n,-. Let n t - be the "last" immediate- 
^-supervariable such that n' /5-depends on n,, i.e. let n» be the 
immediate-/?-supervariable such that n' ^-depends on m and n' 
does not /?-depend on any immediate-^-supervariable rij of n for 
j > i. Let ra be the type node of n' . Since n' does not /^-depend 
on any rij for j > i, the type node m must not ^-depend on any 
rij for j > i. Thus the world w; defined above must agree with 
Wk on the type node ra. By assumption the target color c t is 
an instance of the type of n' in the world Wk. Thus c t must be 
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an instance of the type of n' in the world Wi. But W{ is always 
a targeted-/?-assignment of n; with target w'. Furthermore n' /?- 
depends on rc;. Thus, by the definition of a targeted- /3-assignment 
and the fact that the target c t is an instance of the type of n' in 
the world Wi, the world u>i must assign n' the target color c t . But 
n' does not /9-depend on any rij for j > i and thus the worlds Wi 
and Wk must agree on n'. Thus «;& assigns n' the target color Cj. 



5.4 Focus, Termination, and Order Indepen- 
dence 



This section describes a relation — >sf which is similar to — >s except that 
binding construction is guided by a set of focus objects. The relation — >sf 
is fully described in the beginning of this section; section 5.4.1 can be safely 
ignored by readers not interested in correctness proofs. 

The semantic modulation inference relation — >s generates bindings of 
the form n \- > r. Unfortunately, in most applications there is a very large 
number of potential bindings. To make the semantic modulation inference 
process effective one must select useful bindings. In the Ontic system binding 
selection is guided by a set of focus nodes. Given a set T of focus nodes the 
Ontic system only generates bindings of the form ijht where r is a member 
oiT. 

Focus nodes represent objects that the system is thinking about. Given a 
set of focus objects the system uses forward chaining to generate facts about 
those objects. A focus object is often a variable node. For example the user 
might direct the system to consider an arbitrary lattice. When this is done 
the system chooses a variable node n whose type node represents the class of 
all lattices. The variable n is then added to the set of focus objects. While 
focusing on the arbitrary lattice n the system will generate facts that hold for 
all lattices. In order to ensure that the facts generated about a focus variable 
n hold for all instances of the type of n the system must avoid binding n to 
any particular object. In general the system avoids binding variables that 
are depended on by focus objects; binding a variable depended on by a focus 
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object can change the meaning of the focus object. 

The system also avoids redundant bindings. Suppose that n and n' are 
two variables that have the same type node m and suppose that m is a C- 
established-type-node for r. For the graphs generated by the Ontic compiler 
there is no point in binding both n and n' to r; given the binding n ^ r 
nothing additional will be learned from the binding n' i— »■ r. 

In summary the Ontic system imposes three constraints on the binding 
process: variables are only bound to focus nodes, the system does not bind 
variables depended on by focus nodes, and the system does not generate 
redundant bindings. These three constraints lead to the following definition 
of the inference relation — *sf defined relative to a semantic modulation 
graph S and a set T of focus objects. 



Definition: Let /"bea subset of the nodes in a semantic mod- 
ulation graph S. 

Definition: Let T be a binding labeling of a semantic modula- 
tion graph S such that T has binding set j3. Let T' be a binding 
labeling of S with binding set /?'. 

We write T-* S t T if T-*s 1' and either /?' equals (3 or the 
difference between 0' and /? consists of a single binding n t-> r 
where the following conditions hold: 

• r is an element of J r . 



• 



No member of JF (directly) depends on n. 



• /? contains no binding n! t-> r where n' has the same type 
node as n. 



We say that a variable node n in S is T-protected if some focus 
node in T depends on n. We say that an arbitrary node r is 
^"-protected if every free variable of r is ^-protected. Clearly the 
elements of T are ^"-protected. 
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If /? is a binding set generated by the relation — *st and if p is a node 
that is ^"-protected then no variable depended on by p will be bound under 
j3. One effect of this statement is that if p is ^"-protected, /? is a binding 
set generated by — >st > and n is any variable node then p /^-depends on n 
just in case p directly depends on n. Furthermore all members of the focus 
set T are ^"-protected and thus in the second restriction on bindings in the 
above definition it doesn't matter whether one uses /^-dependence or direct 
dependence — the two notions of dependence are the same when discussing 
the dependence of jF-protected nodes. 

The relation — >st is simply a restriction of the relation —»$ and thus 
the soundness theorem holds for — *st • Furthermore if p is jF-protected then 
no variable depended on by p will be bound by the inference relation — ±sr • 
More specifically we have the following special case of the soundness theorem. 



— >st Soundness Theorem: Let W be a satisfactory semantics 
for a semantic modulation graph S. Let T be a binding labeling 
with an empty binding set and with a truth and color labeling C 
such that every world in W satisfies C. Now suppose T-*st *T' 
where T' has binding set ft and truth and color labeling C! . If p 
is a formula node that is ^"-protected and p is labeled true under 
£ then p must be labeled true in all worlds in W. 



5.4.1 Termination and Order Independence 

This section proves a certain Church-Rosser property for relation —*sf • The 
relation — *s is fully specified above and those readers not interested in cor- 
rectness proofs can safely ignore this section. 

The relation —*sf operates on binding labelings of a semantic modulation 
graph S. Since a given variable can only be bound once, and partial truth 
labelings and color labelings can not be extended indefinitely, there can be 
no infinite reduction chains of the form 

T\—*st Ti-*st T~3-*sf ••• 
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Thus the relation — >sf is well founded. 

Let S be a semantic modulation graph, let T an initial binding labeling, 
let T be a focus set over S, and let p be a formula node which is ^-protected, 
i.e. p represents some statement about the focus objects. The inference 
relation — *sf can be used in an attempt to prove p by binding variable 
nodes to focus objects. More specifically the labeling T can be extended 
via the relation — >st until a normal form is found. Let T' and T" be two 
normal forms of T under the inference relation —*st ■ Now for the graphs 
generated by the Ontic compiler either T' and T" are both inconsistent 
or they both agree on p. More specifically, the compilation of individual 
variables (which compile into generic individual nodes) and closed formulas 
(such as the formulas in the lemma library) results in a homogeneous graph 
as described below. For homogeneous graphs it is possible to prove that the 
normal forms T' and T" are equivalent under a certain equivalence relation 
defined below. This equivalence relation has the property that if T' and T" 
are equivalent then either they both exhibit premature termination of they 
must agree on p. A binding labeling exhibits premature termination if it is 
inconsistent or if there is some focus object r and a £-established-type-node 
ra for r but there are no variables of type m that have been bound to r and 
no variables of type ra available for binding to r. In other words a binding 
labeling exhibits premature termination if it runs out of variables to bind to 
focus nodes. Because the Ontic compiler generates variables on demand, a 
binding labeling does not exhibit premature termination in practice unless 
it is inconsistent. Thus if T' and T" are both normals forms of T under 
the relation — *sf , and if p is jF-protected, they either T' and T" are both 
inconsistent or they agree on p. 



Definition: Let T be a binding labeling of a semantic modula- 
tion graph S. We say that T is <*> -inconsistent if the labeling of 
T is C-inconsistent where C is the congruence constraint graph 
underlying S. 

Let T be a subset of the nodes of a semantic modulation graph S 
and let T be a binding labeling of <S with truth and color labeling 
C We say that T exhibits premature J- -termination if either T 
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is <S-inconsistent or there exists a focus object r in T and a C- 
established-type-node m for r such that there is no binding of 
the form n t— >• r in the binding set of T where n is a variable of 
type m and every variable of type m is either ^"-protected or is 
already bound under the binding set of T. 

The equivalence relations denned in previous sections had the property 
that any two inconsistent labelings were equivalent. The equivalence relation 
defined below has the property that any two binding labelings which exhibit 
premature termination are equivalent. In practice the Ontic system generates 
variables on demand so that there are always enough variables in the graph 
to avoid premature termination due a lack of variables. Thus, in practice, 
premature termination always involves an inconsistency. If T is a normalized 
binding labeling with truth and color labeling C such that T does not exhibit 
premature termination and if r is a focus object and m is a £-established- 
type-node for r then some variable of type m is bound to r under the binding 
set of T. 

The graphs generated by the Ontic compiler are homogeneous in the sense 
that if n and n' are two variables with the same type node then n and n' 
are "identical" as nodes in the graph. More specifically if n and n' are both 
variables with the same type node then there exists a symmetry of the graph 
which carries n to n' . A symmetry is a particular way that an object is 
identical to itself. For example a square is identical to itself when rotated 
ninety degrees. The formal definition of symmetry is based on the general 
notion of isomorphism. Two semantic modulation graphs are isomorphic if 
there is a bijection between there nodes which carries the structure of one 
onto the structure of the other. A symmetry is an isomorphism of an object 
with itself, e.g. a rotation of a square is particular way that the square is 
isomorphic to itself. 

To precisely define the notion of isomorphism one needs to define how a 
map carries the structure of a graph. More specifically consider a bijection c 
which maps the nodes of a semantic modulation graph S to some other set 
of nodes M. The map t carries the graph S to the graph i(S) such that the 
nodes of i(S) consist of the elements of M and the classification of nodes and 
the links of c(S) are defined as follows: 
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Definition: Let S be a semantic modulation graph and let t be a 
bijection mapping the nodes in S to some set. The map i carries 
the graph S to the graph i(S) where the graph i(S) is defined as 
follows: 

• The formula nodes of i(S) are the objects of the form i(n) 
where n is a formula node of S. The quotation nodes, type 
nodes, variable nodes and unclassified nodes of i(S) are de- 
fined similarly. 

• If ty is a literal over the formula nodes in S then t(\I/) is 
defined so that if \& is the node n then t(\&) equals i(n) and 
if \& is the literal ->n then i($) equals -u(n). The clause 
links of t(S) consist of all clause links of the form 

t($ 1 )Vi(* 2 )...Vt(* i ) 

where S contains the clause link 

• The equality links of i(S) consist of all links of the form 

t{p) ^r- i(n) = i(m) 

where S contains the link 

p <& n = m 
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The subexpression links, free variable links, type declara- 
tion links, type formula links, and subtype links in i(S) are 
defined similarly. 



Now consider a bijection i that maps the nodes of a graph S to any set. 
As discussed above the bijection i carries the structure of the graph S over 
to the structure of a new graph i(S). The bijection S also carries binding 
labelings of S over to binding labelings of the graph t(S). 
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Definition: Let i be a bijection from the nodes of a semantic 
modulation graph S to some set. 

Let C be a truth an color labeling of S. The labeling i(C) is the 
truth and color labeling of i(S) such that if C labels p true then 
i(£) labels i(p) true and if C assigns node r the color c then i(C) 
assigns i(r) the color c. 

Let /? be a binding set over C. The bijection i carries ft to the 
binding set t(ft) over the graph t(S) where i(ft) consists of all 
bindings of the form t(n) \-t i(r) where n i-> r is a binding in ft. 

Let T be a binding labeling of <S with binding set ft and truth 
and color labeling C The mapping i carries T to the binding 
labeling i(T) with binding set i(ft) and truth and color labeling 
c(C). ^ 

For any bijection t from the nodes of a semantic modulation graph <5to 
f*\ some set, the graph i(S) is in some sense identical to the graph S even though 

the nodes of i(S) may be different from the nodes of S. This observation 
leads to the notion of isomorphism. 

Definition: Two semantic modulation graphs S and <5' are iso- 
morphic just in case S' can be written as i(S) for some bijection 
t between the nodes of S and the nodes of S' . A map i which 
carries S to S' is called an isomorphism between S and S'. 

The notion of isomorphism leads to a notion of symmetry. 

Definition: A symmetry of a semantic constraint graph S is an 
isomorphism of S with itself, i.e. a bijection i from the nodes of 
S to themselves such that i(S) equals S. 

As mentioned above the graphs generated by compiling individual variables 
and closed formulas are highly symmetrical. More specifically, such graphs 
are homogeneous in the following sense. 
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Definition: Two variables n and n' in a semantic modulation 
graph S will be called S-identical if there exists a symmetry t of 
S which exchanges n and n' and which is the identity map for all 
nodes r which do not depend on either n or n'. 

A semantic modulation graph S is called homogeneous if any two 
variables with the same type node are iS-identical. 

If variables of the same type are identical then it shouldn't matter which 
variable is bound to a given focus object; two labelings should be considered 
to be equivalent if the only difference between them is that they bind different 
but identical variables to the same focus object. More specifically let T be 
a focus set over a semantic modulation graph S and let i be a symmetry of 
S that is the identity function on all jT-protected nodes. The symmetry i 
exchanges identical variables but preserves all ./-"-protected nodes. If T is a 
binding labeling of S then the binding labeling i(T) should be equivalent to 
X. 



Definition: Let T be focus set over a semantic modulation graph 
S. 

A symmetry i of S is called ^-preserving if i is the identity func- 
tion on all J^-protected nodes in S. 

Two binding labelings T and T of S are called immediately-S - 
equivalent if they have the same binding set, they assign the same 
truth values to formula nodes, and their color labelings define the 
same equivalence relation on nodes. 

Two binding labelings T and T' of S are called ST -equivalent if 
either both T and T' exhibit premature termination or there ex- 
ists a jT-preserving symmetry i of S such that i(T) is immediately- 
<S -equivalent to T'. 

It is possible to prove that —*sr satisfies the diamond property modulo 
^^-equivalence and thus — >sf is order independent. 
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—>sf Normalization Theorem: If S is a homogeneous seman- 
tic modulation graph and J- is a focus set over S then the relation 
-^>st is a terminating normalizer modulo <S^"-equivalence. 

The above order independence result implies that in certain easily iden- 
tified cases the answers generated by the the Ontic system do not depend on 
the order in which inference operations are performed. 



Corollary: Let T be focus set over a homogeneous semantic 
modulation graph S let p be a ^"-protected formula node, and 
let T be a binding labeling of S. If T' and T" are both nor- 
malizations of T under — >sf then either both T' and T" exhibit 
premature termination or T' and T" agree on the truth of p. 



5.5 Assumptions 

This section describes an inference relation —*sa which performs inference 
in the presence of assumptions (suppositions). The inference relation —*sa 
is fully described in the beginning of the section. The relation — >sta , that 
incorporates focus, is described in section 5.5.2. Sections 5.5.1 and 5.5.3 
involve soundness and unique normalization respectively and can be safely 
ignored by readers not interested in correctness proofs. 

Recall that a binding labeling T for S is W- valid if the binding set of T 
is W-legal and the binding set of T implies the truth and color labeling of 
T, i.e. every world in W that satisfies the binding set of T also satisfies the 
truth and color labeling of T. If W is a satisfactory semantics for the graph 
S then the relation — >$ preserves W-validity. Unfortunately the notion of 
W-validity does not allow for assumptions. An assumption is a statement 
that is true in some worlds but not others. To properly handle assumptions 
one must deal with labelings that are not W- valid. 



Definition: Let S be a semantic modulation graph and let W 
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be a satisfactory semantics for S. 

An assumption set over S is a subset A of the formula nodes in 
S. If w is a world in W then we say that w satisfies A if w assigns 
every formula node in A the label true. 

Assumptions can be handled by an inference relation — >sa where A is 
an assumption set over S. A later section will discuss how assumptions can 
be combined with focus objects to yield an inference relation — >sfa which 
is a controlled restriction of the relation —>sa defined here. However, focus 
objects are ignored in the remainder of this section. 

The labelings manipulated by the relation — >sa contain information that 
is deduced from the assumption set A. The assumptions in A may contain 
assumptions about the types of objects. Thus a certain binding may be type 
respecting relative under the assumptions in A even if that binding can not 
be proven to be type respecting in general. Furthermore the assumptions in 
A place restrictions on the free variables of the assumptions; it may not be 
jm^ possible to assign values to the free variables of assumption without making 

the assumptions false. Thus the relation — >sa avoids binding variables which 
are depended on by elements of the assumption set A. In fact the only 
difference between the relations — *s a nd —*sa is that — >sa avoids binding 
variables depended on by the assumptions in A. 



Definition: Let A be an assumption set over a semantic modu- 
lation graph S. 

If /? is a binding set over S then a variable node n in S is called 
A/3-free if n is /?-free, i.e. not bound under 0, and no assumption 
in A /^-depends on n. 

Let T and T' be two binding labelings of S. We write T— *sa T' 
if T— +5 T' and either T and T have the same binding set or the 
binding sets of T' contains an additional binding n i— > r where n 
is *4/?-free. 

The restriction on bindings given in the above definition makes it possible to 
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prove a soundness theorem for the relation -* S A ', this theorem establishes 
that -*sa can be used to find logical consequences of a set of assumptions. 



— >sa Soundness Theorem: Let W be a satisfactory semantics 
for a semantic modulation graph S and let A be an assumption 
set over S. Let T be a binding labeling with an empty binding set 
and such that every world in W that satisfies A also satisfies the 
truth and color labeling of T. Now suppose T —>sa * T' where 
T' has binding set /?. If p is a formula node such that p is labeled 
true under T' and no variable depended on by p is bound under 
/? then p must be labeled true in all worlds in W that satisfy A. 

Intuitively, the assumption soundness theorem holds because assumptions 

do not constrain variables not depended on by the assumptions; variables not 

depended on by assumptions are still free to range over their types and such 

a variable can be assigned to any object that is known to be an instance of 

/"""""^ its type. These intuitive comments are made more precise below. 

5.5.1 Proof of the —> SA Soundness Theorem 

Like the semantic modulation soundness theorem, the assumption soundness 
theorem is proven by showing that the relation -+ S A preserves a certain 
property of binding labelings. More specifically the relation -+ S A preserves 
.4W-validity where a binding labeling is AW- valid just in case its binding 
set is .4>V-legal and its bindings together with the assumptions in A imply 
its truth and color labeling. The notion of an .4W-legal binding context is 
similar to the notion of a W-legal binding context except that the concepts 
involved are relativized in some way to the assumption set A. 

An «4W-legal binding set need not be W-legal; the legality of bindings in 
an .4W-legal binding set may depend on assumptions in A. More specifically, 
an ,4W-legal binding set need not be W-universally-satisfiable; if j3 is AW- 
legal, and w is a world in W such that w does not satisfy A, then W need 
not contain a world w[/3] that satisfies /? and agrees with w on all nodes 
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that do not depend on variables bound under ft. In defining the ^4W-legal 
binding sets the notion of W-universal-satisfiability is replaced by the notion 
of .AVV-universal-satisfiability. 



Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S, let A be an assumption set over S, and let 
ft be a binding set over S. The binding set ft is AW -universally- 
satisfiable if for every world w in W em such that w satisfies A 
the semantics W contains a world w[ft] such that w[ft] satisfies 
ft and agrees with w on all nodes that do not depend on any 
variable bound under ft. 



The following lemma states that if ft is ^4-protecting in the sense defined 
below then ft- assignments to Aft-free variables always preserve the truth of 
the assumptions in A. Recall that a variable n is Aft-free just in case n is 
/3-free and no assumption in A /^-depends on n. 



Definition: Let A be an assumption set over a semantic modu- 
lation graph S, let W be a satisfactory semantics for S, and let 
ft be a binding set over S. 

The binding set ft is called ,4-protecting if no variable depended 
on by an element of A is bound under ft. 

Lemma: If ft is *4-protecting, w is a world in W that satisfies A, 
n is an Aft-hee variable node, and c is an instance of the type of 
n in a world w then any /^-assignments of n to c in w also satisfies 
A. 

Proof: Since n is Aft-free, no assumption in A (directly) de- 
pends on n. Furthermore, I will show that no assumption in A 
/^-depends on n. More specifically, suppose that there existed a 
/3-dependency-path from and assumption p in A to the variable 
n. Since p does not directly depend on n this path must involve 
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some variable bound under ft. Thus there must be a direct de- 
pendency path from p to some variable bound under ft. But this 
is impossible because ft is assumed to be ^4-protecting. Thus no 
assumption in A /^-depends on n. Thus if w[ft, n := c] is a ft- 
assignment of n to c in w then w and w[ft, n := c] must agree on 
all elements of A. By assumption w satisfies A so w [ft, n := c] 
also satisfies .A. 

An *4W-legal binding set /? need not have the property that /^-assignments 
exist in W. More specifically the existence of /^-assignments may depend on 
the assumptions in A and thus if w is a world that does not satisfy A there 
may be a variable node n and an instance c of the type of n such that W does 
not contain a /^-assignment of n to c in w. When dealing with assumptions 
the requirement that /^-assignments exist must be restricted to those worlds 
which satisfy the assumption set. 

>«"^ Definition: We say that ft-assignments exist in W under A if for 

every world w in W that satisfies both ft and A, every Aft-free 
variable node n in S, and every instance c of the type of n in 
world w, the semantics W contains a /^-assignment of n to c in 
w. 

It is now possible to define the A W- legal binding sets. 



Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S, let A be an assumption set over S, and let 
ft be a binding set over S. We say that the binding set ft is AW- 
legal if there are no /^-dependency loops, ft is .4W-universally- 
satisfiable, ft is ^-protecting, and /?- assignments exist in W under 

A. 



If /? is the empty binding set then there are no ft- dependency-loops; ft 
is clearly ^4W-universally-satisfiable; and ft is ^-protecting. Furthermore if 
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fl is empty then /^-assignments exist in all worlds in W. Thus the empty 
binding set is *4W-legal. 

The notion of an .4W-legal binding context leads to the notion of an 
AW- valid binding labeling. A binding labeling T is AW- valid if its binding 
set is ^4W-legal and its truth and color labeling is implied by its binding set 
and the assumptions in A. 



Definition: Let W be a satisfactory semantics for a semantic 
modulation graph S and let A be an assumption set over S. A 
binding labeling T is called AW -valid if the binding set of T is 
*4W-legal and every world in W which satisfies both A and the 
binding set of T also satisfies the truth and color labeling of T . 



f<-s. It is now possible to state the main theorem of this section: the relation 

—>sa preserves AW- validity. 



-+sa Preservation Theorem: Let W be a satisfactory seman- 
tics for a semantic modulation graph S and let A be an as- 
sumption set for S. If T is an ^4W-valid binding labeling and 
T-+sa T', then T is also *4W-valid. 



The proof of the —>sa preservation theorem is essentially the same as 
the proof of the —5-5 preservation theorem given earlier; the proof will not 
be given here. It is important to note however that the restriction on bind- 
ings stated in the definition of — >sa is essential for the -^sa preservation 
theorem. More specifically suppose /3 contained a binding of the form n t-y r 
where some assumption in A depends on n. In this case the binding n *-* r 
may violate the assumptions in A; the binding may not be satisfiable by any 
world that satisfies A. 
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5.5.2 Combining Assumptions and Focus Objects 

Focus objects guide the choice of bindings generated in the Ontic system. 
It is easy to combine focus and assumptions. More specifically the relation 
—*sfa can be defined as follows: 

Definition: If T and T' are two binding labelings of a semantic 
modulation graph S then we write T— >sfa T' if T^>sa T' and 
T-> S r T. 

The above definition implies that the relation -+STA is a restriction of 
the relation — >sa • More specifically — i-sfa is that restriction of — >sa which 
only generates bindings n i— > r where r is a member of the focus set T ', no 
other variable with the same type node as n has already been bound to r, 
and no member of the focus set depends on n. Since — >sfa is a restriction 
of — >sa it preserves AW- validity. 

5.5.3 Termination and Order Independence 

Since each variable can be bound at most once, and since truth and color 
labelings can not be extended indefinitely, all of the inference relations dis- 
cussed so far are well founded; there are no infinite inference chains. 

Furthermore it can be shown that the ability of the relation -^sta to 
prove a given result does not depend on the order in which inferences are 
performed. More specifically, let 5 be a semantic modulation graph; let T 
be a focus set over S, and let p be a formula node which is ^"-protected, 
i.e. p represents some statement about the focus objects; and let A be an 
assumption set over S. The relation -*sta can be used in an attempt to 
prove that p follows from the assumptions in A. More specifically let T an 
initial binding labeling such that the labeling of T satisfies A and let T' 
and T" be two normal forms of T under the inference relation — >sfa • It 
turns out that the relation —*sta is order independent in the sense that, for 
the graphs generated by compiling individual variables and closed formulas, 
either T' and T" are both inconsistent or they both agree on p. 
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The proof of the order independence result for the relation — >sfa is very 
similar to the proof of the order independence result for -+st ■ In fact the 
only difference between these two proofs involves the notion of premature 
termination. It is possible that a binding labeling T' is normalized under 
-+STA even though it could be reduced further under — *st • More specifi- 
cally, a variable might be /3-free and thus available for binding under — >st 
but not A/3-ivee and thus not available for binding under — >sfa • In fact 
it is possible that T' exhibits premature termination with respect to the re- 
lation — *sfa even though it does not exhibit premature termination with 
respect to the relation —>sf ■ A binding labeling T exhibits premature AT- 
termination just in case the truth and color labeling of T is inconsistent or 
there are not enough variables of the appropriate types available for binding 
to the focus objects (the precise definition should be clear and is not given 
here) . 

The — >sfa normalization theorem is stated in terms of a certain equiv- 
alence relation on labelings. The notion of ATS-ecpii valence can be defined 
as follows: 



Definition: Let T be a focus set over a semantic modulation 
graph S and let A be an assumption set over S. 

A node r is called AT -protected if every variable depended on by 
r is also depended on by some element of T or A. (If r is AT- 
protected then no binding generated by — >sta binds a variable 
depended on by r.) 

A symmetry i of S is called AT -preserving if i is the identity 
function on all AT- protected nodes. 

Two binding labelings T and T of S are called AST -equivalent 
if either both T and T' exhibit premature AF-termination or 
there exists an AF-preserving symmetry i of S such that i(T) is 
immediately-5-equivalent to T'. 

Now it is possible to prove that if S is homogeneous then — *spa satisfies 
the diamond property modulo AFcvequivalence. Thus — >sta is a terminat- 
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ing normalizer relative to AT^-equivalence. Furthermore if T and T' are 
.4^5-equivalent and p is an AF-protected formula node then either T and 
T' both exhibit premature termination or they both agree on the truth of p. 
Thus the ability of the system to determine the truth of an AF-protected 
formula does not depend on the order in which reductions are done. 



5.6 Automatic Universal Generalization 

This section describes an inference relation — *g which performs automatic 
universal generalization. The inference relation — >g is fully described in the 
beginning of the section and sections 5.6.1 can safely be ignored by read- 
ers not interested in correctness proofs. Section 5.6.2 describes the relation 
—*qa which is similar to — >g except that it handles a set of assumptions 
(suppositions). Section 5.6.3 discusses semantic soundness and can be safely 
ignored by readers not interested in correctness proofs. The relations — *g 
and — »0,4 are not guided by focus objects; section 5.6.4 describes a relation 
/""S that is guided by focus objects. 

Universal generalization is a method for deducing formulas of the form 

(FORALL ((X r)) $) 

More specifically, suppose that a variable X of type r appears free in the 
formula $ and that $ has been proven using only the fact that X is an instance 
of the type r. In this case $ must be true no matter how one interprets X as 
an instance of r and thus one can infer that the above universal formula is 
true. 

In the Ontic system the formula 

(FORALL ((X r)) $) 

abbreviates the formula 

(NOT 

(EXISTS-SOME 

(LAMBDA ((X r)) 
(MOT $)))) 
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LAMBDA is the only true quantifier in the Ontic system; classical quantification 
is handled with the quantifier LAMBDA and formulas of the form 

(EXISTS-SOME a) 

where a is a type expression. In order to implement universal general- 
ization as a graph labeling inference mechanism two additional kinds of 
links are needed corresponding to the quantifier LAMBDA and the operator 
EXISTS-SOME. 

Definition: An Ontic graph Q consists of a semantic modulation 
graph together with 

• a set of existential links of the form 

p <vt> Bra 

where p is a formula node and m is a type node. Such a link 
says that p. rep resents the formula which says that there exist 
instances of the type ra. 

• a set of closure links of the form 

Xn.p = m 

where n is a variable node, p is a formula node such that 
no free variable of p other than n depends on n, and ra is 
a type node. Such a link says that ra represents the type 
whose instances are the values of the variable n which satisfy 
the formula represented by p. 

If S is the semantic modulation graph derived by deleting all 
existential links and closure links from an Ontic graph Q then S 
is called the semantic modulation graph underlying Q. 

Let Q be an Ontic graph and let S be the underlying semantic 
modulation graph. A labeling of Q is simply a labeling of S\ a 
binding set over Q is a binding set over S; and a binding labeling 
of Q is a binding labeling of S. 
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Universal generalization can be done whenever a fact has been proven 
about a variable n and no assumptions have been made about n other than 
that it is an instance of its own type node. The following definitions identify 
those variable nodes n such that "no assumptions have been made about n". 
These definitions have been carefully designed to maximize the deductive 
power of automatic universal generalization while still ensuring the soundness 
of universal generalization inferences. 



Definition: Let T be a binding labeling of an Ontic graph Q, let 
fl be the binding set of T, and let n be a variable node of Q. 

We say that two type nodes m and m' are known to be equal under 
T if the labeling of T assigns m and m' the same color label. 

We say that n is T-free if either n is /3-free or n is bound under 
f3 with a binding dhu' where n' is a /?-free variable node such 
that the type node of n' is known to be equal to the type node of 
n under T. 

If n is T-free then the T -freedom-source for n is defined as follows: 
If n is /S-free then the T-freedom-source for n is n itself. If n is 
T-free and the binding set of T contains a binding of the form 
n i— » n' then the T-freedom-source for n is the variable node n' . 



There are two forms of universal generalization used in the Ontic system: 
formula generalization and established type generalization. Formula gener- 
alization generalizes the truth of a formula node. Consider a formula node 
p and a variable node n such that n is a free variable of p. Now suppose 
that p has been proven to be false without using any assumptions about the 
particular value for n. In this case one can deduce that the type Xn.p is 
empty; there is no interpretation of n that makes p true. If the type Xn.p is 
empty then it may be possible to determine that a certain existential formula 
node is false. A universal formula is always represented as the negation of 
an existential formulas so formula generalization can result in assigning a 
universal formal the label true. 
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Established type generalization is a form of universal generalization that 
involves subtype links. If Q contains a subtype link p <& m -< mf then 
the formula node p represents the statement that every instance of the type 
m is an instance of the type m'. Thus p represents a universally quantified 
statement: a statement that quantifies over all instances of the type m. Now 
suppose that n is a variable with type node m and that m' is an established 
type for n where no assumptions have been made about n. In this case one 
can deduce that every instance of m is also an instance of m! so the formula 
p which represents the subtype relation must be true. 

In addition to the two kinds of universal generalization Ontic graphs 
are associated with existential generalization inferences. If an Ontic graph Q 
contains an existential link p A$ 3m then the node p represents the statement 
that there exist instance of the type m. Now if there exists a node r such 
that m is an established type node for r then one can infer that instances of 
m exist and therefore that p must be true. 



Definition: Let Q be an Ontic graph. Let T be a binding labeling 
of Q with binding set and truth and color labeling C. 

We say that a formula node q can be proven false by TQ -formula- 
generalization over a variable node n just in case Q contains a 
closure link Xn.p = m such that C assigns p the label false, n is 
T-free with freedom source n', no free variable of p other than n 
/^-depends on n', and Q contains the existential link q <£> 3m. 

We say that a formula node p can be proven true by TQ -type- 
establishment-generalization over a variable node n just in case Q 
contains a subtype link p ■&■ m -< m' such that m is the type 
node for n, m' is a ££/-established type node for n, n is T-free 
with freedom source n' and m' does not /^-depend on n' . 

We say that a formula node p can be proven true by TQ -existential- 
generalization if Q contains an existential link p <& 3m such that 
there exists a node r in Q such that m is a £-established-type- 
node for r. 
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Under certain binding labelings it is possible to prove that a certain for- 
mula node is true even though that node has already been assigned the label 
false. Binding labelings with this property are inconsistent. 

Definition: Let Q be an Ontic graph and let T be a binding 
labeling of Q. We say that T is (/-inconsistent if any of the 
following conditions hold: 

• The color and truth labeling of Tis C-inconsistent where C 
is the congruence constraint graph underlying Q. 

• There exists a formula node p which can be proven false via 
T(/-formula-generalization but p is labeled true under T. 

• There exists a formula node p which can be proven true via 
either T^-established-type-generalization or T(/-existential- 
generalization but p is labeled false under T. 

jm s Given a definition of the kinds of inferences that are associated with Ontic 

graphs and the notion of (/-inconsistency we can now define the relation — >>q . 

Definition: Let Q be an Ontic graph and let T and T' be binding 
labelings of Q. We write T—>g T' if either T—*s T' where S is the 
semantic modulation graph underlying Q or else T is (/-consistent, 
the binding set of T equals the binding set of T, and one of the 
following conditions holds: 

• There exists a formula node p that can be proven false via 
T(/-formula-generalization and the truth and color labeling 
of T' is the result of assigning p the label false in the truth 
and color labeling of T . 

• There exists a formula node p that can be proven true via 
either T(/-established-type-generalization or (/T-existential- 
generalization and the truth and color labeling of T' is the 
result of assigning p the label true in the truth and color 
labeling of T . 
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5.6.1 Semantic Soundness 

The semantics of full Ontic graphs is very similar to that of semantic mod- 
ulation graphs. However the semantics of full Ontic graphs must properly 
account for the meaning of closure and existential links. The precise semantic 
meaning of closure and existential links is captured in the following definition 
of a satisfactory semantics for an Ontic graph. 



Definition: A satisfactory semantics for an Ontic graph Q is 
a satisfactory semantics W for the semantic modulation graph 
underlying Q such that the following conditions hold. 

• If p ■&■ 3m is an existential link in Q and w is a world in VV 
then w assigns p the label true just in case there exists a 
color c which is an instance of m in the world w. 

• If Xn.p = m is a closure link in Q and let w be a world in 
W then a color c is an instance of m in w just in case c is 
an instance of the type of n in w such that if w[n := c] is an 
assignment of n to c in w then w[n := c] assigns p the label 
true. 



The formal language Ontic has an intended semantics which can be de- 
fined relative to a fixed universe of mathematical objects (a fixed model of 
ZFC set theory). The meaning, or denotation, of an Ontic expression can be 
defined relative to a type respecting variable interpretation; a given interpre- 
tation of Ontic variables as mathematical objects yields an interpretation for 
every Ontic expression. In the graph produced by the Ontic compiler each 
node is associated with an Ontic expression. Since a type-respecting inter- 
pretation of Ontic variables assigns a meaning to every expression, such a 
variable interpretation can be used to assign labels to the nodes in the graph 
produced by the Ontic compiler. Thus each variable interpretation yields a 
world and the set of all such variable interpretation yields a set of worlds, i.e. 
a semantics. The intended semantics for the graphs produced by the Ontic 
compiler is a satisfactory semantics in the technical sense defined above. 
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The semantic soundness theorem for Ontic graphs is analogous to the seman- 
tic soundness theorem for semantic modulation graphs. 



— *g Soundness Theorem: Let W be a satisfactory semantics 
for an Ontic graph Q. Let T be a binding labeling of Q with an 
empty binding set and with a labeling C such that every world 
in W satisfies £. Now suppose T -*g * T' where T' has binding 
set /? and labeling £'. If p is a formula node that is labeled true 
under £.' and such that p does not depend on any variable bound 
under /? then p must be labeled true in all worlds in W. 

The — +g soundness theorem implies that universal and existential gener- 
alization as allowed under — >g are semantically sound inference techniques. 
As was the case for —*s , the — >g soundness theorem is proven by showing 
that — >g preserves W-validity. Recall that a binding labeling T is W-valid 
if its binding set is W-legal and every world in w that satisfies the binding 
/^ set of T also satisfies the truth and color labeling of T. Both the notion 

of a W-legal binding set and the notion of a W-valid binding labeling are 
defined purely in terms of the semantics W; these notions do not depend on 
graph structure and do not need to be redefined here. The proof of the — >g 
preservation theorem uses the following lemma: 



Freedom Source Lemma: Let W be a satisfactory semantics 
for a semantic modulation graph Q. Let T be a W-valid binding 
labeling of Q with binding set /? and truth and color labeling C. 
Let n be a T-free variable node with freedom source n' . Let w be 
a world in W that satisfies /3. If c is an instance of the type of n 
in w then the semantics W contains a /^-assignment u>[/?, n' :— c] 
of n' to c in w and for any such /5-assignment assigns n the color 
c. 

proof: Since n' is the freedom source for n then either n' is the 
same node as n or else /? contains the binding n i-+ n' and £ 
assigns the same color labels to the type nodes of n and n'. In 
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either case n' is /?-free; any world which satisfies ft assign n and 
n' the same color label; and any world which satisfies £ assigns 
the type nodes for n and n' the same color label. 

Since w satisfies ft and T is W-valid, w must satisfy £ and 
thus w must assign the type nodes for n and n' the same color 
label. Thus c is an instance of the type of n' in w. Thus, since ft is 
W-legal and n' is ft-iree, the semantics W contains a /^-assignment 
w[ft, n' := c] of n' to c in w. Furthermore w[ft, n' := c] satisfies 
/? and assigns n' the color c so w[ft, n' := c] must also assign n 
the color c. 



— »$7 Preservation Theorem: Let W be a satisfactory seman- 
tics for an Ontic graph Q. Let T and T' be binding labelings for 
G. If T is W-valid and T-> e T then T' is W-valid. 

Proof: Suppose that T is W-valid and that T-* g T . Either 
T—+s T' where S is the semantic modulation graph underlying 
Q or else T' is derived from T by universal or existential gener- 
alization. If T—*s T' then the —*$ preservation theorem implies 
that T' is W-valid. Now suppose T' is derived from T by either 
universal or existential generalization. In this case the binding 
set of T' equals the binding set of T; let /3 be this binding set. 
By assumption T is W-valid and thus /? is W-legal. It remains 
only to show that every world in W which satisfies ft also satisfies 
the truth and color labeling of T' . Let C be the truth and color 
labeling of T and let C' be the truth and color labeling of T' . 
Consider a world w in W which satisfies ft. Since T is W-valid, 
w satisfies C. Now there are three cases. 

First suppose that there exists a formula q which can be 
proven false via T^-formula-generalization over a variable node 
n and that £' is derived from £ assigning q the label false. In 
this case there exists a closure link Xn.p = m and an existential 
link q <3> 3m such that £ labels p false, n is T-free with freedom 
source n', and no free variables of p other than n /9-depend on n'. 
To show that T is W-valid let w be any world in W that satisfies 
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1 . We must show that w satisfies £ . Since T is W-valid, and 
since (3 equals /?', the world w must satisfy £. Thus to show that 
w satisfies £' it suffices to show that w assigns q the label false. 
Given the semantics of existential links it suffices to show that 
there are no instances of m in w. The semantics of closure links 
state that a color c is an instance of m in w just in case c is an 
instance of the type of n such that if w[n := c] is an assignment of 
n to c in w then w[n := c] assigns p the label true. Let c be any 
instance of the type of n in w and let w[n := c] be an assignment 
of n to c in w. To show that there are no instances of m it suffices 
to show that w[n := c] assigns p the label false. By the above 
freedom source lemma the semantics W contains a /^-assignment 
w [/?, ra' := c] of n' to c in to and any such /?- assignment must 
assign n the color c. Since w[(3, n' := c] satisfies /?, and since T is 
W-valid, the world w[/3, n' := c] must satisfy the labeling C and 
'■, thus u>[/?, n' := c] must assign p the label false. It now suffices to 

show that w[n := c] agrees with tw[/?, n' := c] on the formula p. 
To show that w[n := c] and w[/3, n' := c] agree on p it suffices to 
show that these two worlds agree on the free variables of p. Both 
w[n := c] and w[/3, n' := c] assign n the color c. Now consider 
the free variables of p other than n. Since no free variable of p 
other than n ^-depends on n', w[fl, n' := c] agrees with w on 
the free variables of p other than n. Furthermore, the definition 
of an Ontic graph states that no free variable of p other than n 
directly depends on n. Thus w[n := c] also agrees with w on the 
free variables of p other than n. Thus w[n := c] and w[/3, n' := c] 
agree on all the free variables of p and thus agree on p. 

Now suppose that there exists a formula node p such that p 
can be proven true via T^-established-type-generalization over 
a variable node n and that £' is derived from C by assigning p 
true. In this case there exists a subtype link p <£> m A m' such 
that m is the type node of n, n is T-free with freedom source n' 
and m' is a £C/-established-type-node for n such that m' does not 
/9-depend on n'. To show that T' is W-valid consider a world w 
that satisfies /?'. We must show that w satisfies £'. Since T is W- 
valid, and since /? equals /?', the world to must satisfy C. Thus it 
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suffices to show that w assigns p the label true. By the definition 
of a satisfactory semantics it suffices to show that every instances 
of m in w is also an instances of m! in w. Let c be an instance 
of m in w. It suffices to show that c is an instance of m' in w. 
Since the variable n has type node m, the color c is an instance 
of the type of n. Thus the above freedom source lemma implies 
that W contains a /^-assignment w[/3, n'\ — c] of n' to c in w and 
any such /^-assignment assigns n the color c. Since w[fl, n' := c] 
satisfies f3 and since T is W-valid, w[{3, n' := c] must satisfy C. 
Now since m' is a £-established-type-node for n the color of n in 
to[/?, n' := c] must be an instance of m' in w[/3, n' := c]. Thus 
c is an instance of m' in the world w[/9, n' := c]. To show that 
c is an instance of m' in to it now suffices to show that w and 
w[ft, n' := c] agree on m'. But this follows immediately from the 
assumption that m' does not /^-depend on n' . 

Now consider existential generalization. Suppose that Q con- 
tains an existential link p <£■ 3ra such that there exists a node 
r^ r such that m is a £-established-type-node of r and that C' is 

derived from C by assigning p the label true. To show that T' is 
W-valid let tobea world in W that satisfies /?'. We must show 
that w satisfies £'. Since /? equals ^' and since T is W-valid the 
world w must satisfy C. To show that w satisfies C' it suffices to 
show that w assigns p the label true. Since w satisfies C, and 
since m is a £-established-type-node for r, the color of r in w 
must an instance of m in «>. But this implies that there exists 
an instance of m in w so by the semantics of existential links w 
must assign p the label true. 



5.6.2 Assumptions 

Recall that the notion of W- validity does not allow for assumptions; to prop- 
erly handle assumptions one must deal with labelings that are not W-valid. 
To deal with relations that not W-valid we need a new inference relation 
—*qa ■ The relation — >gj, restricts bindings to avoid binding variables de- 
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pended on by assumptions in A and also restricts universal generalization so 
that one does not generalize over variables depended on by assumptions in 
A. 



Definition: An assumption set over an Ontic graph Q is a set A 
of the formula nodes in Q. 

Let Q be an Ontic graph, let A be an assumption set over Q and 
let T be a binding labeling of Q with binding set /?. 

A variable node n is called *4T-free with freedom source n' just 
in case n is T-free with freedom source n' and no element of A 
/^-depends on n'. 

It is now possible to define the forms of inference associated with an Ontic 
graph under a set of assumptions. 



Definition: Let Q be an Ontic graph and let A be an assumption 
set over Q. Let T be a binding labeling of Q. 

We say that a formula p can be proven false by AT Q -formula- 
generalization over a variable node n just in case p can be proven 
false by T^-formula-generalization over n and n is *4T-free. 

We say that a formula p can be proven true by AT Q -established- 
type- generalization over a variable node n just in case p can be 
proven true by T^-established-type-generalization over n and n 
is .AT-free. 

As the above definition indicates, the inferences that are allowed in the pres- 
ence of assumptions are slightly different from the inferences that are allowed 
when no assumptions are present; certain universal generalization inferences 
may be allowed in the absence of assumptions but not allowed when assump- 
tions are present. This difference in the allowed inferences is reflected in a 
difference in the notion of consistency. 
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Definition: Let Q be an Ontic graph, let T be a binding labeling 
of Q and let A an assumption set over Q. We say that T is AQ- 
inconsistent if any of the following conditions hold: 

• The color and truth labeling of Tis C-inconsistent where C 
is the congruence constraint graph underlying Q. 

• There exists a formula node p which can be proven false via 
*4T^-formula-generalization but p is labeled true under T . 

• There exists a formula node p which can be proven true via 
either ,4TC/-established-type-generalization or T^-existential- 
generalization but p is labeled false under T . 



Given a definition of the kinds of inferences that are associated with Ontic 
graphs under assumptions and the notion of ./^-inconsistency we can now 
define the relation -^qa ■ 

Definition: Let Q be an Ontic graph, let A be an assumption 
set over Q, and let T and T' be binding labelings of Q. We write 
T-*qa T if either T—*sa T' where S is the semantic modulation 
graph underlying Q or else T is .A£/-consistent, the binding set of 
T equals the binding set of T, and one of the following conditions 
holds: 

• There exists a formula node p that can be proven false via 
*4T£/-formula-generalization and the truth and color label- 
ing of T' is the result of assigning p the label false in the 
truth and color labeling of T. 

• There exists a formula node p that can be proven true via ei- 
ther «4T(?-established-type-generalization or C/T-existential- 
generalization and the truth and color labeling of T' is the 
result of assigning p the label true in the truth and color 
labeling of T. 
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5.6.3 Soundness under Assumptions 

The soundness theorem for the relation -^qa is analogous to the soundness 
theorem for — >sa • 



—*qa Soundness Theorem: Let W be a satisfactory semantics 
for an Ontic graph Q and let A be an assumption set over Q. Let 
T be a binding labeling with an empty binding set and such that 
every world in W that satisfies A also satisfies the truth and color 
labeling of T. Now suppose T -^gj. * T where T' has binding 
set /?. If p is a formula node such that p is labeled true under C! 
and no variable depended on by p is bound under /? then p must 
be labeled true in all worlds in W that satisfy A. 

The soundness theorem for —>qa can be proven by showing that -*qa 
preserves AW- validity. Recall that T is AW- valid if the binding set of T is 
f^ v4W-legal and every world in W that satisfies both A and the binding set of 

T also satisfies the truth and color labeling of T. The notion of AW- validity 
is defined in a purely semantic way; the AW- validity of the binding labeling- 
T does not depend on any graph structure and need not be redefined here. 



— >qa Preservation Theorem: Let W be a satisfactory seman- 
tics for an Ontic graph Q and let A be an assumption set for Q. 
If T is an «4W-valid binding labeling and T—tg^ T' , then T' is 
also AW- valid. 

The proof of the — >qa preservation theorem is directly analogous to the 
proof of the —*g preservation theorem and is not given here. The proof relies 
on the fact that if n is ,4T-free with freedom source n' then no element of 
A /9-depends on n' where ft is the binding set of T. More specifically, if 
n' is /3-free and no element of A /^-depends on n' then, by definition, n' is 
Afi-iree. Since n' is A/3-fvee, and is «4W-legal, /?- assignments exist for n' 
in all worlds that satisfy both (3 and A. If n' were /?-free but not ,4/9-free 
then the ^4>V-legality of /3 would not ensure that /^-assignments exist for n'. 
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5.6.4 Focus, Termination and Order Independence 

Of course it is possible to control the generation of bindings with focus ob- 
jects. A focus set over an Ontic graph Q is simply a subset of the nodes of Q. 
One can define the relation ->gjr A as a restriction of the relation -*> QA ; the 
relation -*qta never bindings variables which are ^"-protected, only binds 
variables to focus objects and never binds two variables with the same type 
node to the same focus object. Because the relation ->qta is a restriction 
of the relation —±qa it clearly preserves *4W- validity. 

Order independence for the relation that -^qta requires a restriction 
an universal generalization inferences. More specifically the freedom source 
of the variable being generalized over in a universal generalization inference 
must be ^"-protected. This ensures that no binding operation allowed under 
-*qta binds the freedom source involved in a universal generalization infer- 
ence. This in turn ensures that all allowed universal generalization inferences 
commute with all allowed binding operations. This restriction on universal 
generalization inference has not been a problem in practice. 
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Chapter 6 

The Ontic Language 



The formal language Ontic consists of twenty three kinds of expression plus 
seven macros that provide convenient abbreviations for expressions. The 
Ontic compiler converts a set E of Ontic expressions to an Ontic graph (7(E). 
^■s^ The graph (?(E) is simpler than the set E; although there can be twenty three 

different kinds of expressions in E there are only nine kinds of links in Ontic 
graphs. The compiler is described in chapter 7, the current chapter describes 
the language Ontic and various syntactic properties of that language. 

There are several aspects of the syntax of the Ontic language that need 
explaining. First of all, most of the axioms of Zermelo-Fraenkel set theory 
are encoded in the notion of a syntactically small type expression; a type 
expression can be "reified" as a set only if the type expression is syntactically 
small. This chapter also describes free variables and substitution; the type 
system used in the Ontic language makes these notions somewhat complex. 



6.1 Non-Minimality of the Ontic Language 

The Ontic language is not semantically minimal; many of the constructs in 
the Ontic language could be semantically defined in terms of more basic con- 
structs. There are three reasons for the non-minimality of the Ontic language. 
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First, the Ontic system encodes the axioms of set theory in the syntax of the 
Ontic language. Second, the non- minimality of the Ontic language allows the 
compilation process to generate efficient graph structure. There is an analogy 
between the non-minimality of the Ontic language and the non-minimality 
of programming languages — greater efficiency is achieved by allowing the 
compiler to directly implement certain non-minimal language features. Fi- 
nally, directly compiling non-minimal language features improves the input- 
output behavior of the system; there are automatic inferences based on the 
graph structure generated from the non-minimal language which would not 
be done automatically if the compilation process was restricted to a minimal 
language. 

The notion of a syntactically small type expression encodes many of the 
axioms of set theory. Rather than have explicit comprehension axioms, the 
Ontic system allows the construction of sets of the form 

(THE-SET-OF-ALL r) 

where r is a syntactically small type expression. Not all type expressions are 
f\ syntactically small; the types SET, GROUP, FIELD, or TOPOLOGICAL-SPACE are 

all large and an error is generated if an attempt is made to construct the set 
of all sets or the set of all topological spaces. On the other hand if s is a 
term that denotes a set then the type 

(SUBSET-DF s) 

is syntactically small and one can construct the set 

(THE-SET-OF-ALL (SUBSET-OF s)) 

The smallness of types of the form (SUBSET-OF s) corresponds to the axiom 
of power set; for every set s there exists another set P(s) such that P(s) 
contains all subsets of s. The smallness of types of the form (EITHER t\ t 2 ) 
corresponds to the set theoretic axiom of pairing. The smallness of lambda 
types corresponds to the axiom of restricted comprehension and the smallness 
of types of the form (RANGE-TYPE /) correspond to the axioms of union, and 
replacement. 

The non-minimality of the Ontic language also allows the graph (7(E) to 
be smaller than it would be otherwise. For example consider a type expression 
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of the form 

(OR-TYPE ri r 2 ) 

An object is an instance of this type just in case it is an instance of either 
the type r x or the type t 2 . Semantically this type is equivalent to the type 

(LAMBDA ((X THING)) (OR (IS X t x ) (IS X r 2 ))) 

However the lambda type quantifies over the type THING and generates ad- 
ditional graph structure for each variable of type THING. By implementing 
the OR-TYPE operator as a primitive one can avoid quantifying over the type 
THING and thus create less graph structure. The primitive implementations 
of IF, EITHER and RANGE-TYPE lead to similar savings in the amount of graph 
structure created. 

The non- minimality of the Ontic language also leads to greater inferential 
power. For example consider the reification of functions. Expression in the 
Ontic language are divided into five syntactic categories: terms, formulas, 
/"""\ functions, types and type-generators. Of these five categories terms are the 

only first class objects; variables can be bound only to terms and only terms 
can be used to specify focus objects. However certain type expressions (syn- 
tactically small type expressions) can be reified, i.e. coerced to a term via the 
operator THE-SET-OF-ALL. Furthermore, functions can be reified, or coerced 
to terms, via the operator THE-RULE. If / is a syntactically small function ex- 
pression which takes one argument then the Ontic expression (THE-RULE /) 
denotes the set of pairs that corresponds to the function /. Unlike the func- 
tion expression /, the term expression (THE-RULE /) is a first class object; 
variables can be bound to it and it can be used as a focus object in an Ontic 
context. The operator THE-RULE is not semantically minimal; it is possible to 
define the operator THE-RULE using the operator THE-SET-OF-ALL. However 
the primitive implementation of the operator THE-RULE allows the system to 
perform inferences in a single step that would take many steps if the system 
were forced to reason purely in terms of the operator THE-SET-OF-ALL. More 
specifically the Ontic language includes the operator APPLY-RULE such that 
for any syntactically small function / of one argument the implementation 
of the operator THE-RULE allows the system to derive the following equation 
in a single step. 
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(IS (APPLY-RULE (THE-RULE /) a;) 
(EQUAL-TO (/ x))) 

If THE-RULE were a macro that expanded to an expression involving THE-SET-OF-ALL 
then the above equation would have to be proved using a several step proof 
for each reified function /. One can not state the above equation as a lemma 
about all functions because one can not quantify over functions. However 
one can quantify over rules and the operator THE-RULE provides a way of 
reifying syntactically small functions as rules. 



6.2 The Ontic Language 

The expressions in the Ontic language are divided into four categories: terms, 
functions, formulas, types and type generators. Terms are expressions that 
denote mathematical objects such as sets, pairs, graphs, partially ordered 
sets and lattices. Function expressions denote operators (functions) that 
map objects to objects. Formulas are expressions that are either true or false 
in any given interpretation. Type expressions denote one place predicates on 
objects; if r is a type expression and the predicate denoted by r is true of an 
object x, then we say that x is an instance of the type r. Type generators 
are operators which take arguments (which are always terms) and return a 
type. For example the type generator GREATER-THAN takes a partially 
ordered set P and an element x of P and returns a type whose instances are 
the elements of P which are greater than x under the ordering imposed by 
P. 

Functions, types, and type generators can be A-expressions. A A-expression 
is an expression of the form 

(LAMBDA (Ui n) (X 2 r 2 ) ... (X fc r k )) body) 

A A-expression always denotes an operator; the above expression is an op- 
erator that takes k arguments where each argument must be an instance 
of the associated type. If the body of a A-expression is a formula then the 
expression is a type expression and is only allowed to take one argument. If 
the body is a term then the A-expression is a function; if the body is a type 
then the A-expression is a type generator. 
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There are actually two versions of the Ontic language which differ in the 
way variables are treated. The first version of the language is the one used 
in the top level user interface. In this external version of the Ontic language 
a variable is simply a symbol such as X and the same symbol can be used 
in different ways in different contexts. The external version of the language 
should be distinguished from the internal version where individual variables 
have more structure and stronger identity. 

There is a one to one correspondence between the nodes in the graph 
generated by the Ontic compiler and expressions in the internal language. 
In particular there is a one to one correspondence between variable nodes in 
the graph structure and variables of the internal language. This one to one 
correspondence would be impossible for the external language because the 
external language allows a given symbol to be used as variables of different 
types in different contexts. In the internal version of the Ontic language 
each variable has a fixed type that is taken to be a syntactic property of that 
variable. The following A-type is an example of an external expression: 

(LAMBDA ((X SET)) 

(IS-EVERY (MEMBER-OF X) SET)) 

This external expression gets mapped to the following internal expression 

(LAMBDA (z SET ) 

(IS-EVERY (MEMBER-OF z SET ) SET)) 

Note that in the translation process the external symbol X has been replaced 
by the internal variable a; SET of type SET. 

Only the internal language is formally defined here. Fortunately, the 
external and internal versions of the Ontic language are very similar and the 
definition of the external language should be clear from the definition of the 
internal language. A method of translating external expressions into internal 
expressions is discussed in a later section. 

An internal Ontic expression can be formally defined as one of the twenty 
three different kinds of expressions listed below. 
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Definition: An internal Ontic expression is one of the following: 

• A type expression which is one of the following: 

— One of the type symbols THING, SET, RULE or SYMBOL. 
The type SYMBOL is syntactically small while the types 
THING, SET, and RULE are all large. 

— An application of the form (g t x £ 2 • • • tk) where g is a 
type generator of k arguments and each t{ is a term. A 
type expression of this form is syntactically small just 
in case the type generator g is syntactically small. 

— A A- type of the form (LAMBDA (x T ) $) where x T is vari- 
able of type r and $ is a formula. A type of this form 
is syntactically small just in case the domain type r is 
syntactically small. The class of instances of this type 
is a subclass of the instances of the type r. 

— An expression of the form (OR-TYPE T\ t 2 ) where T\ 
and r 2 are types. A type expression of this form is syn- 

/""% tactically small just in case both the types T\ and r 2 are 

syntactically small. 

— An expression of the form (RANGE-TYPE /) where / a 
function expression of any number of arguments. A type 
expression of this form is syntactically small just in case 
the function expression / is syntactically small. 

• A term which is one of the following: 

— A variable x T where r is a type expression. Each type 
r is associated with an infinite sequence x\, x\, x\ ... 
of variables of type r. 

— An application of the form (/ 1\ t 2 • • • tk) where / is a 
function expression of k arguments and each ti is a term. 

— An expression of the form (THE-SET-OF-ALL r) where 
r is a syntactically small type expression. 

— An expression of the form (THE r) where r is a syntac- 
tically small type expression. 

— A conditional expression of the form (IF $ t\ £ 2 ) where 
$ is a formula and t\ and t 2 are terms. 



f**\ 



6.2. THE ONTIC LANGUAGE 183 

— An expression of the form (THE-RULE /) where / is a 
syntactically small A-function of one argument. 

— An expression of the form (QUOTE symbol) where symbol 
is an atomic symbol. 

• A function expression which is one of the following: 

— A A-function of k arguments of the form 

(LAMBDA (xp x T 2 2 ... x T k k ) body) 

where each xj' is a variable of type r,- and body is a term. 
A A-function is syntactically small just in case each type 
expression r,- is syntactically small. 

— An expression of the form (THE-FUNCTION t) where t 
is a term. The term t should denote an instance of the 
type RULE, i.e. something expressible as (THE-RULE /). 
All functions of this form are functions of one argument 
and are syntactically small. 

f^ - The primitive function symbol RULE-DOMAIN which is a 

large function of one argument. This function should 
only be applied to instances of the type RULE. 

• A formula which is one of the following: 

— A type formula of the form (IS t r) where t is a term 
and t is a type expression. 

— An existence formula of the form (EXISTS-SOME r) where 
r is a type expression. 

— An equality of the form (= e\ ti) where e x and e^ are 
any internal Ontic expressions. 

— A Boolean application of formulas constructed with one 
of the boolean operators NOT, OR, AND, IMPLIES, or IFF. 

— A subtype formula of the form (IS-EVERY a r) where 
a and r are type expressions. 

• A type generator expression which is one of the following: 

— One of the primitive type generators EQUAL-TO, MEMBER-OF, 
SUBSET-OF, EITHER or RULE-BETWEEN. The type gener- 
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ators EITHER and RULE-BETWEEN both take two argu- 
ments, all the others take one. All these type generators 
are syntactically small. 

— A non-primitive type generator of k arguments of the 
form 

(LAMBDA Carp 3% ... x T k k ) body) 

where body is a type expression. A type generator of this 
form is syntactically small just in case the type body is 
syntactically small. 

• An unclassified combinator expression. Combinator expres- 
sions are generated when a A-type is compiled into graph 
structure. Combinator expressions are discussed in chap- 
ter 7. 



The large size of the internal language makes it difficult to define prop- 
^^ erties of expressions; to define an operation on internal expressions it seems 

that one must define that operation on each of the twenty three different 
kinds of expressions. Fortunately this problem can be avoided. More specifi- 
cally the twenty three different kinds of expressions can be classified into four 
groups: atomic expressions, variables, lambda expressions, and extensional 
applications. 



Definition: An atomic expression is either one of the primitive 
type symbols, one of the primitive type generator symbols, or a 
quotation of the form (QUOTE symbol) . 

A X-expression is either a A-type, a A-function or a non-primitive 
type generator. 

An extensional application is an expression other than a variable, 
an atomic expression or a A-expression. All extensional applica- 
tions have the form 

(op arg! arg 2 ... arg k ) 
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6.3 Binding and Freedom 

There are some subtleties in the internal language concerning the notion of 
a free variable. The external formula 

(EXISTS ((X (MEMBER-OF S))) 
(IS X (MEMBER-OF U))) 

Is an abbreviation for the external formula 

(EXISTS-SOME 

(LAMBDA ((X (MEMBER-OF S))) 
(IS X (MEMBER-OF U)))) 

Which corresponds to the internal formula 

(EXISTS-SOME 

(LAMBDA (it«™B-0F, !n )) 

(IS z^hber-of * SET ) (MEMBER-OF u SET )))) 

This formula says that there exists a member of s SET which is also a 
member of w SET . Thus the variable s SET must be a free variable of this for- 
mula. Note however that s SET appears in the type of the bound variable 
^chember-of 5 SET ) More g enera u y consider any A- type of the form 

(LAMBDA (x T ) $) 

A free variable in the type r is considered to be free in the A-type. 

In general consider a A-expression of the form 

(LAMBDA (x? x? ... x T k k ) body) 

If this A-expression is a A-type then it denotes the class of instances of that 
type. If the A-expression is a function or type generator then it denotes 
a certain class of tuples. In either case the meaning of the A-expression 
depends on the classes associated with the types r t - which in turn can depend 
on the interpretation of free variables in the type expressions. Thus the free 
variables of a A-expression include free variables in the types of the bound 
parameters. 
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Definition: A variable y° appears free in an internal expression 
e if one of the following conditions hold: 

• e is the variable y° '. 

• e is an extensional application 

{op argx arg 2 . . . arg k ) 

and y" either appears free in the operator op or one of the 
arguments argi 

• e is a A-expression of the form 

(LAMBDA (xp x T 2 2 ... x\ k ) body) 

where y a is not equal to any x? and y a appears free either 
in body or the type r,- of some formal parameter xj' . 

Note that in A-functions and type generators of more than one argument a 
free variable in the type of one argument may be bound as another argument. 
For example consider the type generator GREATER- OR- EQUAL-TO defined in 
the external language as follows. 

(DEFTYPE (GREATER-OR-EQUAL-TO (X (IN-USET P)) (P POSET)) 
(LAMBDA ((Y (IN-USET P))) 
(OR (= Y X) 

(IS Y (GREATER-THAN X P))))) 

The type generator GREATER-OR-EQUAL-TO takes two arguments X and P 
where P is a partially ordered set and X is a member of P. The above defini- 
tion introduces the symbol GREATER-OR-EQUAL-TO as an abbreviation for an 
internal type generator of the form 

(LAMBDA ( x <n-osETpMm> pP0SET) ^ 

In this expression the variable p P0SET which appears free in the type of the 
bound variable X (IH " USET v ° ) j s bound as the second argument and thus 
does not appear free in the overall expression. 
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The definition of the free variables of an expression may seem problematic. 
In particular consider an external A-expression of the form 

(LAMBDA ((X (MEMBER-OF Y)) (Y (MEMBER-OF X))) body) 

According to the definition given above both occurrences of X and Y in the 
type expressions are bound as arguments to the A-expression. But there is a 
circularity in the typing of the formal parameters; the expression takes two 
arguments X and Y where X is a member of Y and Y is a member of X. It turns 
out that no internal A-expression has circularities of this kind. Any attempt 
to translate circular external expressions into the internal language produces 
an error. To see why internal A-expression are non-circular we need to define 
the notion of rank for internal expressions. 



Definition: 

• If e is an atomic expression then the rank of e is 0. 

• If e is a variable x T then the rank of e is one greater than 
the rank of the type r. 

• If e is an extensional application 

(op arg x arg 2 ... arg k ) 

then the rank of e is one greater than the maximum rank of 
op and the arguments argi. 

• If e is a A-expression 

(LAMBDA (xp x? ... x r k k ) body) 

then the rank of e is one greater than the maximum rank of 
body and variables xj*. 

Lemma: All parameter lists in the internal expression are non- 
circular, i.e. for any parameter list (xp xj 2 ... x T k k ) there exists 
a permutation (yp y% ... y T k k ) of this list such that if yf ap- 
pears free in the type expression Tj then i must be less than j. 
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Proof: Let 

(y? y? ■■■ y?~) 

be a permutation of the list which sorts the parameters by rank, 
i.e. if i is less than j then the rank of yj' is less than or equal 
to the rank of yj\ Now suppose that yj' appears free in Tj. We 
must show that in this case i is strictly less than j. It follows 
from the definition of rank that if yj' appears free in Tj then the 
rank of Tj must be greater than the rank of yj' . Furthermore the 
rank of yj } is one greater than the rank of Tj. Thus the rank of 
yj' must be less then the rank of ?/J J so i must be less than j. 

6.4 Translating External Expressions 

The syntax of the external language is similar to the syntax of the internal 

language except that external symbols are used rather than variables and 

f*\ the syntax of A-expressions is slightly different. The definition of when a 

symbol X appears free in an external expression e is directly analogous to the 
corresponding definition for the internal language. 

The translation of an external expression into an internal expression is 
defined relative to a symbol translation table which contains entries of the 
form 

Xne 

where X is an external symbol and e is an internal expression. Each context 
in the Ontic system is associated with a particular symbol translation table; 
different translation tables are used in different contexts. If a is a type 
expression in the external language then the context construction operation 

(LET-BE X a) 

constructs a context where the symbol translation table includes the entry 



where x" is an internal variable of type a' where a' is the type expression in 
the internal language that corresponds to the external type expression a. If 
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Hs a term in the external language then the context constructor 

(LET-BE X t) 
yields a context where the symbol translation table contains the entry 

X H* *' 

where t' is the internal term corresponding to the external term t. The same 
symbol can be used in different ways in different contexts. 

Now consider an external A-expression of the form 

(LAMBDA ((X r)) body) 

To translate this expression relative to a given translation map p the system 
first translates the external type expression r to an internal expression r'. If 
there is some free symbol in r which is not mapped by p then the translation 
of r fails. The system then chooses an internal variable x T such that x T does 
not appear in p, i.e. x T does not appear free in any term t which is the right 
hand side of a mapping Y h-> t in the table p. The system then translates 
body relative to the table p[Xi-+ x T ] which is the table identical to p except 
that it maps X to x T . Let body' be the result of translating body relative to 
this modified table. The overall translation process then yields the internal 
A-expression 

(LAMBDA (x T ') body') 

The general translation process can be precisely defined by a simple case 
analysis on the syntax of external expressions. 

Definition: If e is an external expression and p is a symbol 
translation table then the translation Trans(e, p) of the expres- 
sion e with respect to the table p is defined as follows: 

• If e is an atomic expression then Trans(e, p) equals e. 

• If e is an external symbol then Trans(e, p) equals p(e). 

• If e is an application 

(op arg x arg 2 ... arg k ) 
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then Trans(e, p) equals 

(.Trans(op, p) Trans(arg 1 , p) Trans(arg 2 , p) ... Trans(arg k , p)) 

• If e is a lambda expression of the form 

(LAMBDA (Ui Tj) ... (X fe r fc )) body) 

then let p' be 

NewMap(p, ((X a n) ... (X fc r fc ))) 

where the function NewMap is defined below. The transla- 
tion Trans(e, p) is then defined to be 
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(LAMBDA (/9'(Xi) . . . //(X fc )) Trans(body, p')) 

Let arglist be an argument list of the form ( (Xi Ti) ... (X& r^)) 
and let p be a symbol translation table. If arglist is empty then 
the translation table NewMap(p, arglist) equals the table p. If 
arglist is not empty then the table NewMap(p, arglist) is defined 
as follows: 

• let (Xi Ti) be a pair in arglist such there is no pair (Xj Tj) in 
arglist such that Xj appears free in r;. If no such pair (X; r;) 
exists then there is a circularity in the type structure of 
arglist and the attempt to construct a new translation table 
fails. 

• Let t- be Trans(ri, p) and let x T 'i be the first variable of type 
t[ which does not appear in p, i.e. which does not appear 
free in any term t which is the right hand side of a mapping 
Yi— > t in p. 

• Let p' be the table /?[X; \-* x r i] which is identical to p ex- 
cept that it maps X; to x r 'i and let restargs be the result of 
removing the pair (X; r;) from arglist. 

• NewMap(p, arglist) equals NewMap(p', restargs) 
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Lemma: If p' is a translation table of the form 

NewMap(p, ((Xi t x ) ... (X fc r fe ))) 

then for any pair (X,- t;) in the given argument list p'(X,) is an 
internal variable of type Trans(ti, p') 

When translating A-expressions the system chooses internal variables which 
replace external symbols. The internal variables of each type r are ordered 
in a linear sequence x\, arj, xl, etc. When the system chooses an internal 
variable of type r it always chooses the first acceptable variable in this se- 
quence. In this way the least possible number of distinct variables appear in 
the internal expression resulting from the translation. Minimizing the num- 
ber of distinct variables that appear in the output expression reduces the 
size of the graph generated by the compilation process; the size of the graph 
is quite sensitive to the number of distinct variables of a given type which 
appear in the expressions being compiled. 



6.5 Substitution 

Given the notion of a free variable we can now define the notion of substi- 
tution. If e is any internal expression,' y" is any internal variable, and t is 
any internal term, the expression e[t/y a ] is the result of replacing all free 
occurrences of y a in e by t with appropriate renaming of bound variables in 
e. For example suppose e is a A-expression of the form 

(LAMBDA (a;? X? ... x r k k ) body) 

The free variables of this expression may include free variables in the type 
expressions r,- and computing t[t/y°) may involve substituting into a type 
Ti of a formal parameter. Thus if e is a lambda expression then the formal 
parameters of e[t/y a ] may have different types than the formal parameters of 
e and thus the formal parameters of e[t/y a ] must be different from the formal 
parameters of e. To properly define substitution for internal Ontic expres- 
sions one must use the more general notion of a simultaneous substitution 
for a set of expressions. 
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Definition: A substitution w is a finite set of mappings of the 
form 

y"^t - 

where y a is an internal variable and t is an internal term and a 
given variable has at most one mapping under u. 

The expression e[t/y CT ] is defined to be u?(e) where u> is the sub- 
stitution containing the single mapping y a i— > t. 

For any substitution u and any internal expression e, the expres- 
sion w(e) is defined as follows: 

• If co does not contain a mapping for any free variable in e 
then cj(e) equals e. 

• If e a variable y a and u> contains a mapping of the form 
y" i-¥ t then w(e) equals i. 

• If e is an extensional application of the form 
f"\ (op arg x arg 2 . . . arg k ) 

then u>(e) equals 

(u(op) u{arg x ) co(arg 2 ) . . . u(arg k )) 

• If e is a A-expression of the form 

(LAMBDA (x? xl 2 ... x^) body) 

then let freevars be the set of free variables of e then let u/ 
be the substitution 

NewSubst(co, (xp x£ 2 ... x£ fc ) , freevars) 

where then function NewSubst is defined below. In this case 
w(e) equals 

(LAMBDA (u/(xp) w'(x?) ...u/(x£=)) aj'(body)) 
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Let wbea substitution, let arglist be an argument list of the form 
(xp x T 2 ... x T £) and let freevars be a set variables. If arglist is 
empty then the substitution NewSubst(to, arglist, freevars) equals 
the substitution to. If arglist is not empty then 

NewSubst(u, arglist, freevars) 

is defined as follows: 

• Let x}' be a member of the argument list such that no vari- 
able xf in the argument list appears free in t;. Such an 
argument must exist because there must be some argument 
of least rank. 

• Let 2 C "( T ») be the first variable of type u;(r;) such that for 
every variable y a in freevars either there exists a mapping 
y a i— > t in lo and z w ^ does not occur free in t or there is no 
mapping y 17 i— > t in lo and z w ^ is distinct from y a . 1 

• Let lo' be lo[xJ' i—» z w ^] which is identical to lo except that 
it maps xf to z w ( Ti K 

• Let arglist! be arglist minus the argument x J'. 

• Let freevars 1 be freevars plus the variable xj'. 

• NewSubst(cv, arglist, freevars) equals 

NewSubst(u>' , arglist! , freevars') 



Recall that for each type r the variables of type r are ordered in a lin- 
ear sequence x\, x\, x\, etc. The above algorithm specifies that whenever 
bound variables are renamed, and a variable of type r must be chosen as 
a replacement for some other variable, one must take the earliest possible 
variable of type r. This minimizes the number of variables which ultimately 
get translated into graph structure. 



1 The first condition ensures that free variables introduced by w are not captured by the 
new bound variables. The second condition ensures that members of freevars not mapped 
by u> are not captured by the new bound variables. 
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6.6 Macros 

The External language includes certain macros that provide convenient ab- 
breviations. The most important macros used in the external language are 
EXISTS and FORALL. The external expression 

(EXISTS ((X r)) $) 

is an abbreviation for the external formula 

(EXISTS-SOME 

(LAMBDA ((X r)) 
$)) 

In general the quantifier EXISTS can involve more than one bound variable. 
For example consider an external formula of the form 

(EXISTS ((X (IN-USET P)) 
(P POSET)) 

This formula abbreviates the formula 

(EXISTS ((P POSET)) 

(EXISTS ((X (IN-USET P))) 
$)) 

Which becomes 

(EXISTS-SOME 

(LAMBDA ((P POSET)) 
(EXISTS-SOME 

(LAMBDA ((X (IN-USET P))) 
$)))) 

In general the formula 

(EXISTS ((X x n) ... (X fc r k )) $) 
Abbreviates the formula 
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(EXISTS ((Xi r,0) 
(EXISTS ((Xi n) 

(X,_l Ti-x) 
(X !+ i T;+i) 

(Xfe T*)) 

$)) 

Where no Xj appears free in r;. This requirement insures that none of the 
bound symbols X,- appear free in the overall expression. If every r, has a free 
occurrences of some Xj then the macro expansion fails. 

The macro FORALL is defined in terms of EXISTS. More specifically 
(FORALL ((Xi n) ... (Xfc r k )) $) 
__ abbreviates 

(NOT (EXISTS ((Xi n) ... a k n)) (NOT $))) 



The following list shows some additional macros where a and each r; are 
external type expressions, t and u are external terms / is an external function 
expression of one argument, each X{ is an external symbol and Y and Z are 
external symbols distinct from all X t - and which do not appear free in t, u, /, 
a or any r,-. 



Macro Expression Expansion 



(AND-TYPE Ti r 2 ) (LAMBDA ((Y r x )) 

(IS Y r 2 )) 
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(WRITABLE-AS t 

(Xl Tx) 
(X* T A )) 



(WRITABLE-AS <r 
(Xi ri) 



(X* Tfc)) 



(AT-MOST-ONE a) 



(EXACTLY-ONE a) 



(APPLY-RULE t u) 



(RANGE-TYPE 

(LAMBDA ((Xi n) 



(X fc rjt)) 



0) 



(WRITABLE-AS Y 

(Xl Ti) 

(X fc r*) 
(Y a)) 

(FORALL ((Y <t) 
(Z a)) 
(= Z Y)) 

(AND (EXISTS-SOME a) 
(AT-MOST-ONE a)) 

((THE-FUNCTION t) u) 



In addition to the macros specified above the external language allows 
some simple syntactic abbreviations involving operators and macros which 
take a single type as an argument. More specifically the expression 



abbreviates 

Similarly 

abbreviates 



(THE-SET-OF-ALL ((X r)) $) 

(THE-SET-OF-ALL (LAMBDA ((X r)) $)) 

(THE ((X r)) $) 

(THE (LAMBDA ((X r)) $)) 



The operators AT-MOST-ONE, EXACTLY-ONE and THE-RULE allow for similar 
abbreviations. 
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The macros EXISTS and FORALL also allow abbreviated type expressions in 
the list of bound variables. For example the expression 

(FORALL ((X r $)) tf) 

says that ^ holds for every X of type r such that $. This formula abbreviates 
(FORALL ((X a)) tf) where a is the type (LAMBDA ((X r)) $). 



6.7 Definitions 

Of course the external Ontic language allows for user specified definitions. A 
definition is an expression of the form 

(DEFINE symbol e) 

where symbol is an external symbol and e is any external expression. A 
definition of this form alters the base level symbol translation table so that 
f^ symbol gets translated as the expression e' where e' is the internal translation 

of e. 

Definitions can be made more concise with the macros DEFTYPE and 
DEFTERM. For example the definition 

(DEFTYPE symbol r) 

is the same as 

(DEFINE symbol r) 

but the definition 

(DEFTYPE (symbol (X x n) ... (X* n)) 
r) 

is an abbreviation for the definition 

(DEFINE symbol 

(LAMBDA (CXi n) ... (X* r k )) 
r)) 
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Similarly the definition 

(DEFTERM symbol u) 

is the same as 

(DEFINE symbol u) 

However, the definition 

(DEFTERM {symbol (X a n) ... (X fc r k )) 
u) 

is an abbreviation for the definition 

(DEFINE symbol 

(LAMBDA ((X x n) ... (X fc r k )) 

u)) 

6.8 Summary 

The external Ontic language has now been entirely defined; all of the language 
constructs that appear as primitives in the proof given in the appendix have 
been described in this chapter. A procedure has been given for translating 
expressions in the external language into an internal language where there is 
a one to one correspondence between the nodes in the graph generated by the 
Ontic compiler and expressions in the internal language. The structure of the 
internal language has been discussed in detail, including the notion of free 
variables and a procedure for performing variable substitutions on internal 
expressions. The next section shows how a set S of internal Ontic expressions 
can be converted to an Ontic graph G(E). Ontic graphs are simpler than 
Ontic expressions; while there are twenty three kinds of Ontic expressions, 
the Ontic graphs defined in chapter 5 have only five kinds of nodes and nine 
kinds of links. 
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Chapter 7 

The Ontic Compiler 



The Ontic system compiles a set £ of Ontic expressions into an Ontic graph 
(?(£). The graph structure is much simpler than the Ontic language. The 
node and link types of Ontic graphs do not provide the distinguished prim- 
/—N itive types THING, SET, RULE or SYMBOL. Ontic graphs make no distinction 

between syntactically small and syntactically large types. The node and link 
types of Ontic graphs do not provide set construction operations or definite 
descriptions. Ontic graphs have no explicit provisions for defining new func- 
tions or type generators or for reify functions as terms. However, in spite of 
the relative simplicity of Ontic graphs, it is possible to compile internal Ontic 
expressions into Ontic graphs in a way that implements all the features of 
the Ontic language. 



7.1 An Overview of Compilation 

The Ontic compiler takes a set £ of internal Ontic expressions and generates 
an Ontic graph Cr(E). Each node in the graph (?(£) corresponds to some 
particular expression in the internal Ontic language, although the expression 
represented by a node in G(S) need not be a member of E. The notation 
C(S) will be used to denote the set of expressions that correspond to the 
nodes in (?(£). In order to precisely define the set C(£) each internal Ontic 
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expression e will be associated with a set Aux(e) of internal Ontic expressions 
called the auxiliary expressions for e. The function Aux is defined on a case by 
case bases in later sections. The set C(£) is denned relative to the mapping 
Aux as follows: 



Definition: The auxiliary closure C(£) of a set of expressions £ 
is the least set of expressions such that 

• If an extensional application (op arg\ arg2 ... argk) is in 
C(S) then op and each argi are in C(£). 

• If a A-expression (LAMBDA (xl 1 x^ 2 ... x r k k ) body) is in C(£) 
then body and each xj* is in C(S). 

• If a variable x T is in C(£) then r is in C(£). 

• If e is in C(S) then C(£) contains ylua;(e). 

• Let a be a A-type of the form (LAMBDA (a; T ) $(x T )) and let 
^***s y r be a variable of type r. If both a and y r are in C(£) then 

C(£) also contains the formula 

(IFF (IS y r a) $(y T )) 

where $(y T ) is the result of replacing all free occurrences of 
x T in $ with y r as discussed in chapter 6. 

There is a direct one-to-one correspondence between the expressions in 
C(S) and the nodes in the Ontic graph (?(S); If e is in C(£) then the 
node represented by e is written as n e . Recall that the nodes in an Ontic 
graph come in five types: formula nodes, quotation nodes, variable nodes, 
type nodes, and unclassified nodes. The nodes in the Ontic graph G(S) 
that correspond to Ontic formulas, quotation expressions, Ontic variables, 
and types expressions, are classified in the obvious way. The nodes corre- 
sponding to all other expressions are unclassified. Note that if an extensional 
application (op arg\ argi . . . argk) is in C(£) then C(£) also contains the 
operator op. This implies that C(£) contains "expressions" such as IMPLIES 
and EXISTS-SOME which are not technically Ontic expressions. Thus the 
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graph (7(E) contains unclassified nodes that correspond to operators such as 
IMPLIES and EXISTS-SOME. 

Just as the set C(E) is defined relative to an auxiliary mapping Aux, the 
links in the graph (7(E) are defined relative to a meaning postulate mapping 
M. More specifically each expression e in the internal Ontic language is asso- 
ciated with a set M(e) of meaning postulates where each meaning postulate 
in M(e) is a clause link 

$iV$ 2 V...$ii 

where each $,- is a literal involving a node n s where s is either the expression 
e, a subexpression of e or a member of Aux(e). The mapping M which assigns 
every expression a set of meaning postulates is defined on a case by case basis 
in later sections. Recall that Ontic graphs have nine kinds of links: clause 
links, equality links, subexpression links, free variable links, type declaration 
links, type formula links, subtype links, existence links, and closure links. 
The complete Ontic graph (7(E) is defined relative to the meaning postulate 
map M as follows: 

• The nodes of G(S) consist of all nodes of the form n e where e is an 
expression in C(E). 

• The clauses in (7(E) are given as follows: 

— (7(E) includes all clauses in M(e) for e in C(E). 

— If a is the A-type (LAMBDA (x T ) §{x T )) and y T is a variable of 
type r and both a and y T are in C(E) then (7(E) includes the 
clause 

~ 1 ft (EXISTS-SOME t) V n( IFF ( Is y r ^ ^(^r)) 

where $(y T ) is the result of replacing all free occurrences of x T 
in $ with y T as discussed in chapter 6. The significance of such 
clauses is discussed below. 

• The equality links in (7(E) consist of 

— All links of the form 

n (is h (EQUAL-TO t 2 )) ^ n ti = nt 2 
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where the formula (IS U (EQUAL-TO t 2 )) is in C(E). 

— All links of the form 

"(iff P q ) <$■ n p = n q 

where the formula (IFF p q) is in C(E). 

— All links of the form 

"(= ei e2)) < " "ei = "e2 

where the formula (= t\ e 2 )) is in C(E). 

• The subexpression links in (7(E) consist of all links of the form 

yTlgp Tlarg^ Tl ar g 2 . . . fl aT g k J = Tl^gp ar g^ ar g 2 ___ 0»^fc ) 

where the extensional application {op arg 1 arg2 . . ■ argk) is in C(S). 

^^^^ • The free variable links in (7(E) consist of all links of the form 

f 

n x r < n e 
where e is an expression in C(E) such that x T appears free in e. 

• The type declaration links in (7(E) consist of all links of the form 

n x r : n T 
where x T is in C(E). 

• The type formula links in (7(E) consist of all links of the form 

"(is u r) <$ n u :n T 
where the formula (IS u r) is member of C(E). 

• The subtype links in (7(E) consist of all links of the form 

"(IS-EVERY a r) <& «<r ~< »t 

where the formula (IS-EVERY cr r) is a member of C(E). 
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• The existence formula links in G(E) consist of all links of the form 

^(EXISTS-SOME r) <$ 3n T 

where the formula (EXISTS-SOME r) is a member of C(£). 

• The closure links in G(E) consist of all links of the form 

Anj,r.n$(j,T) = n( LAM BDA (x r ) $(x T )) 

where (LAMBDA (x T ) $(x T )) is a A-type in C(£), y T is a variable of 
type r in C(£) such that y r does not appear free in (LAMBDA (x T ) 
$(x T )) and $(y T ) is the result of replacing all free occurrences of x r in 
$ by y T . 

The complete specification of the set C(£) and the graph G(S) depends 
on a specification of the mappings Aux and M which give the Auxiliary 
^*\ expressions and the meaning postulates respectively that are associated with 

any given expression. The mappings Aux and M are defined on a case by case 
basis in the following sections. The significance of each meaning postulate is 
also discussed. 



7.2 A- Types and Variables 



A-types and variables are of central importance in the Ontic system; all 
quantification involves the interaction of A-types and variables. The graph 
(?(£) contains meaning postulates for individual A-types, meaning postulates 
for individual variables, and clauses which are generated by a combination 
of a A-type and a variable. 

The meaning postulates for individual A-types and variables are fairly 
simple. If a is the A-type (LAMBDA (x T ) $) then a is a subtype of r; every 
instance of a is an instance of r. Thus a has the auxiliary expression 

(IS-EVERY a r) 
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The meaning postulates for a include a clause that contains only the node 
for the above subtype expression. This clause ensures that the node for 
the subtype expression is true in any consistent normalized labeling. The 
auxiliary expressions for the A-type a also include (EXISTS-SOME a) and 
(EXISTS-SOME r) and the meaning postulates for a include the clause 

"^(EXISTS-SOHE <7) V n (EXISTS-SOME t) 

This clause states that if there exists an instance of a then there exists an 
instance of r . While this last clause is semantically redundant it forces certain 
inferences which would not be performed otherwise. 

There are also meaning postulates for A-types which allow congruence clo- 
sure to operate on A-types. In fact every A-expression in the Ontic language 
has an auxiliary combinator expression. More specifically there is a func- 
tion Comb-Trans which converts A-expressions into combinator form. For 
any A-expression e the combinator expression Comb-Trans(e) is an auxiliary 
expression of e. The meaning postulates for e include the clause containing 
the single node 

^(= e Comb-Tra,ns(e)) 

This clause ensures that n e is equivalent to n comb- Trans(e) • 

Combinator expressions allow congruence closure to act on A-expressions. 
For example consider the two lambda types 

(LAMBDA (x T ) (IS u (RELATED-TO a; T ))) 

(LAMBDA (x T ) (IS w (RELATED-TO x r ))) 

where u and w are terms which do not contain x T as a free variable. If both 
of the above expressions are in C(£) and if a particular labeling C of (7(E) 
makes the node for u equivalent to the node for w, then C will equate the 
nodes for these two A-expressions. Note that if x T appears free in either u or 
v then this congruence inference is not valid. 

Combinator conversion algorithms are discussed in [Turner 79] and will 
not be described here. Combinator expressions are used solely for congruence 
closure on A-expressions; combinator expressions have no auxiliary expres- 
sions or meaning postulates. However combinator expressions are extensional 
applications and therefore generate subexpression links. 
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Each individual variable also has some auxiliary expressions and a mean- 
ing postulate. If x T is a variable of type r then the auxiliary expressions for 
x T consist of the formulas (EXISTS-SOME r) and (IS x T r). The meaning 
postulates for x T consists of the the single clause 

""W (EXISTS-SOME t) V n(i S x r r) 

This clause says that if there exists any instance of the type r then x T is 
an instance of r. This clause ensures that in any consistent normalized 
labeling, if the node Sexists-some t) is labeled true then the type node n T is 
an established type node for the variable node n x r. 

In addition to the auxiliary expressions and meaning postulates for in- 
dividual A-types and variables there are expressions and clauses which are 
generated by a combination of a A-type and a variable. Suppose that C(E) 
includes both a A-type (LAMBDA (x T ) $(x T )) a variable y T of type r. Let 
a be the lambda type (LAMBDA (x T ) §(x T )). Under these conditions C(£) 
includes the formulas 

(EXISTS-SOME t) 

and 

(IFF (IS y T a) $(y T )) 

where 3>(y T ) is the result of substituting y T for all free occurrences of x T in $ 
as discussed in chapter 6. Furthermore the graph G(E) includes the clause 

""W (EXISTS-SOME t) V Tl( 1FF (IS y T <j) $(s/ T )> 

This clause says that, as long as there exist instances of the type r, the 
formula (IS y T a) is equivalent to $(y T ). This equivalence can be viewed 
as a definition of the type a. 1 More specifically, suppose that the system is 
focusing on a term u of type r and the system is to determine if u is of type 
a (which is a more specific type than r). The above equivalence says that u 
is of type a just in case the formula $(«) is true. For simplicity suppose that 
the formulas (IS u a) and $(u) have been compiled, i.e. that they are both 
in C(£). Since u is of type r the system can generate the binding y T i— »■ u. 
But if y T and u are equivalent then by congruence closure the formula (IS y r 



1 Actually the equivalence provides only a partial definition; it does not state the addi- 
tional condition that a is a subtype of r. 
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cr) is equivalent to the formula (IS u a) and $(y T ) is equivalent to $(«). 2 
Thus the binding 

together with the truth of the equivalence 

(IFF (IS y T cr) $) 

causes the formula (IS u a) to be equivalent to $(u). 

In the presence of the binding y T \~ > u the equivalence 

(IFF (IS y T a) $(t/ T )) 

can be used to determine if u is of type a even when the formulas (IS u cr) 
and $(u) have not been compiled, i.e. are not in C(S). In the presence of the 
binding y T h-> u the semantic modulation inference mechanisms ensure that 
the nodes n y r and n u are virtually indistinguishable and that the formulas 
(IS y T cr) and $(j/ T ) behave exactly as the formulas (IS u a) and $(u) 
would behave if they were compiled. 

In general there can be more than one variable of type r. The definition 
of cr is stated in terms of each variable of type r. This helps to ensure the 
homogeneity of the generated graph: different variables nodes with the same 
type are identical in that they carry exactly the same information. 



7.3 Meaning Postulates with Quantifiers 

If the lemma library contains a formula of the form (FORALL (x T ) $(x T )) 
then for each variable y T of type r the compilation process should generate 
the formula $(y T ) which is the result of replacing all free occurrences of x r in 
$ with y T . In this way the compiler should ensure that all information known 
to hold of the type r is copied for each variable of type r and any binding of 
the form y T i— > u causes the term u to inherit information known to hold of 



2 Because combinator expressions ensure that congruence closure is operates on A- 
expressions the binding y T i— ► u causes $(j/ T ) to be equivalent to 3>(w) even in the case 
where y T appears free inside A-expressions contained in $(y T ). 
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the type r. The formula (FORALL (x T ) $(x r )) is actually an abbreviation 
for 

(NOT 

(EXISTS-SOME 
(LAMBDA (x T ) 
(NOT $(a; T ))))) 

If the above formula is true the system should ensure that the formula 
<&(y r ) is true. This is done via a meaning postulate for type assertion for- 
mulas. More specifically the meaning postulates for a type assertion formula 
(IS u a) consist of the single clause 

""^US u a) V n(EXISTS-SOHE a) 

This clause states that if u is an instance of type r then there exist instances 
of type r. The clause also states the equally important condition that if 
there are no instances of a then u is not an instance of a. In particular, if 
there are no instances of a then y T is not an instance of a. Given the above 
meaning postulate for type assertion formulas and the meaning postulates 
discussed in the previous section, one can prove an important lemma about 
quantification in the Ontic system. 



Lemma: If the formula (FORALL (x T ) $(x T )) is in C(£) and 
y T is a variable of type r in C(S) then C(S) also includes $(y T ). 
Furthermore if £ is a consistent normalized labeling of G(S) such 
that C assigns the label true to the nodes for (EXISTS-SOME r) 
and (FORALL (x T ) $(a; T )) then C also assigns the label true to 
the node for $(y T ). 

Proof: C(£) includes the formula 

(NOT 

(EXISTS-SOME 
(LAMBDA (x T ) 
(NOT $(0)))) 
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Let a be the A-type 

(LAMBDA (x T ) (NOT $(x T ))) 

Since both a and y T are in C(£) the equivalence 

(IFF (IS y T a) (NOT $(y T ))) 

must also be in C(S) and thus the formula $(y T ) is in C(£). Fur- 
thermore the formula (IS y T a) is in C(£) and so G(S) includes 
the clause 

"'^(IS y T cr) V «<EXISTS-SOHE cr) 

Now if £ assigns the above universal formula the label true it 
must assign the node for (EXISTS-SOME cr) the label false. Thus 
the node for (IS y T a) must also be assigned false. Furthermore 
(?(£) contains the clause 

^"■*\ _,n (EXISTS-SOME t) V n< IFF ( Is y r c ) (HQT $( v "rp) 

Since C assigns the the node for (EXISTS-SOME r) the label true, 
£. must also assign the label true to the node for 



(IFF (IS y T a) (NOT $(y T ))) 

But since the node for (IS y r a) is assigned false, the node for 
(NOT $(y T )) must also be assigned false. But this implies that 
the node for $(y T ) is assigned true. 



The expression 

(FORALL (a:? x? ... x T k k ) $) 

is an abbreviation for nested universal quantification as described in chap- 
ter 6. The above lemma for a single universal quantifier immediately general- 
izes to multiple universal quantification; a universal formula which quantifies 
over several variables will be instantiated with all variables of the appropriate 
type. 
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Several kinds of Ontic expressions have meaning postulates that involve 
quantification. For example let / be a A-function or non-primitive type 
generator of the form 

(LAMBDA (zp x? ... x r k k ) body) 

The A-expression / has the single auxiliary expression 

(FORALL (zp x? ... x T k k ) 
(= (/ ap x? ... ar?) 

6oc/y) ) 

The meaning postulates for / consist of a single singleton clause which states 
that the above formula is true. This formula serves as the definition for 
the operator /. In order for this definition to be invoked on an expres- 
sion (/ u\ u 2 ... uu) variables of the appropriate type must be bound 
to the arguments u\ u 2 ... u*. Once this has been done the application 
(/ y-i «2 ••• v-k) will be equivalent to an appropriate substitution instance 
of body. However in order to get variables of the proper type bound to the 
arguments one must focus on the arguments. Thus in order to invoke the def- 
inition of an operator / in an application (/ u\ u 2 . . . it*.) one must focus 
on all the arguments «,-. 

Semantically, the type generator EITHER could be defined as 

(LAMBDA (z THIHG y THIFG ) 
(LAMBDA (2 THIBG ) 

(OR (= z THIIG x™ 1 ™) 

Note however that if EITHER where simply an abbreviation for the above 
expression then types of the form (EITHER u w) would not be syntactically 
small. Furthermore, and more seriously, invoking the above definition in 
a particular application requires focusing on the arguments to the operator 
EITHER. The usefulness of the operator EITHER is greatly improved by making 
EITHER a primitive type generator and constructing meaning postulates for 
every type of the form (EITHER u w) . 

Let a be a type expression of the form (EITHER u w) . The type a has 
the auxiliary expressions 
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(IS u a) 

(IS w a) 

(FORALL (x a ) 
(OR (= x a u) 
(= x° «;))) 

The meaning postulates for a consist of three singleton clauses which state 
that each of the above formulas is true. 

Let a be a type expression of the form (OR-TYPE T\ t 2 ) . The type a has 
the auxiliary expressions 

(IS-EVERY n a) 

(IS-EVERY r 2 a) 

(FORALL (a;*) 
(OR (IS x" n) 
(IS x" r 2 ))) 

The meaning postulates for <r consist of three singleton clauses which state 
that each of the above formulas is true. 

Let / be a A-function of the form 

(LAMBDA (xp x 2 2 ... x T k k ) body) 

and let cr be the type expression (RANGE-TYPE /). The type expression cr 
has two auxiliary formulas: 

(FORALL (xp xl 2 ... x T k k ) 
(is body cr)) 

(FORALL (y°) 

(EXISTS (xp xl 2 ... x T k k ) 
(- y" ftorfy))) 

The meaning postulates for a consist of two singleton clauses which assert 
that the above formulas are true. These formulas constitute a definition of 
the type a. 

Let u be the term (THE r) where r is any type expression. The term u has 



/"*N 



<f"*s 



f"\ 



7.4. REIFICATION EXPRESSIONS 211 

the auxiliary expressions 

(EXACTLY- ONE r) 

(IS u r) 

(FORALL (x T ) (= x r u)) 

where these expressions abbreviate internal Ontic expressions as described 
in chapter 6. The term u has meaning postulates 

""^(EXACTLY-OHE t) V U(is u r) 
""'^(EXACTLY-OHE t) V n< F 0RALL (ar T ) (= x T u)) 

These meaning postulate states that if there is exactly one object of type r 
then u is of type r and everything of type r is equal to u. 



7.4 Reification Expressions 

The Ontic system can only focus on terms; in order to focus on types, 
functions, or type generators the system must first coerce these objects 
to terms. The process of coercing a higher order object to a first order 
term is called reification. The Ontic language has two reification operators: 
THE-SET-OF-ALL which coerces a type to a set, and THE-RULE which coerces 
a function of one argument to a set of pairs. Both of these reification op- 
erators can only be applied to syntactically small objects, e.g. one can not 
construct a set of all sets. 

Let s be an expression of the form (THE-SET-OF-ALL r), where r is a 
syntactically small type expression. The auxiliary expressions for s consist 
of the formulas (IS s SET) and (= r (MEMBER-OF s)) and the meaning 
postulates for s consist of two singleton clauses which assert that these two 
formulas are true. 

Now consider the other reification operator, THE-RULE. Let / be the A- 
function (LAMBDA (x r ) u) where r is a syntactically small type expression 
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and let r be the term (THE-RULE /) . The term r has three auxiliary expres- 
sions: 

(IS r RULE) 

(= (THE-FUNCTION r) /) 

(= (RULE-DOMAIN r) (THE-SET-OF-ALL r)) 

The meaning postulates for r consist of three singleton clauses which state 
that each of the the auxiliary formulas must be true. 

The meaning postulates for expressions of the form (THE-RULE /) do 
not force this expression to denote a set of pairs; the meaning postulates do 
not force any particular implementation of a rule in terms of sets. However 
the meaning postulates are sufficient to recover all of the information in the 
rule; if r is the expression (THE-RULE /) then one can construct the set of 
pairs corresponding to r from the function (THE-FUNCTION r) and the set 
(RULE-DOMAIN r). 



7.5 Miscellaneous Meaning Postulates 

Let u be the term (IF $ w\ w 2 ) . The auxiliary expressions for u consist 
of the equalities (= u w\) and (= u w 2 ). The meaning postulates for u 
consist of the following two clauses 

-w$ V n(= u Wl ) 

n$ V «(= u W2 ) 

These two clauses state that if $ is true then u equals ?i>i and if $ is false 
then u equals w 2 . 

Let u be the quotation (QUOTE symbol). The node n u is a quotation 
node and any labeling which equates distinct quotation nodes is taken to 
be explicitly contradictory. The auxiliary expressions for u consist of the 
single formula (IS u SYMBOL) and the meaning postulates for u consist of a 
singleton clause which states that this formula is true. 



/""*s 



f"\ 



f^s, 



7.5. MISCELLANEOUS MEANING POSTULATES 213 

The meaning postulates for expressions of the form (THE-SET-OF-ALL r) 
and (THE-RULE /) provide meanings for the types SET and RULE; every reified 
predicate is a set and every reified function is a rule. Furthermore the type 
SYMBOL is defined by the meaning postulates for quotations. The type THING 
is the universal type and the type expression THING has the following auxiliary 
expressions 

(IS-EVERY SET THING) 

(FORALL O set ) 

(IS-EVERY (MEMBER-OF z SET ) THING)) 

(IS-EVERY RULE THING) 

(IS-EVERY SYMBOL THING) 

The meaning postulates for the type THING consist of three singleton clauses 
which state that each of the above formulas is true. 

The type generator EQUAL-TO has the following auxiliary expression. 

(= EQUAL-TO 

(LAMBDA (z™ 10 ) 

(EITHER s THIBG x THIHG ))) 

The meaning postulates for EQUAL-TO consist of a single clause which states 
that the above formula is true. EQUAL-TO has been listed as a primitive type 
generator because formulas of the form 

(IS u (EQUAL-TO w)) 

generate equality links; these equality links would not be generated if EQUAL-TO 
was defined rather than taken as a primitive. 

The type generator SUBSET-OF has the following auxiliary expression. 

(= SUBSET-OF 
(LAMBDA (z SET ) 
(LAMBDA (y SET ) 

(IS-EVERY (MEMBER-OF y SEr ) 

(MEMBER-OF s SET ))))) 
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The meaning postulates for SUBSET-OF consist of a single clause which states 
that the above equivalence is true. SUBSET-OF has been listed as a primitive 
type generator because it is syntactically small; the equivalent A-expression 
given above is not syntactically small. 

The type generator RULE-BETWEEN has the following auxiliary expression. 



(= 


RULE-BETWEEN 




(LAMBDA ( 


x set y SE T) 




(LAMBDA (z RULE ) 




(AND 


(= (RULE-DOMAIN z RULE ) 
£ SET ) 

(FORALL (V^BER-OF^T)) 

(IS ((THE-FUNCTION z RULE ) 

^(HEHBER-OF x SEr )\ 

(MEMBER- OF y SET ) )))))) 



The meaning postulates for RULE-BETWEEN consist of a single clause which 
states that the above equivalence is true. RULE-BETWEEN has been listed as 
a primitive type generator because it is syntactically small; the equivalent 
A-expression given above is not syntactically small. 

The meaning postulates for Boolean connectives are given in table 4.1 in 
chapterconst-prop-chap. 



7.6 Summary 

The Ontic compiler converts a set £ of expressions in the Ontic Language 
to an Ontic graph (7(2). There is a one to one correspondence between the 
nodes in (7(E) and a set C(£) of Ontic expressions where C(£) contains 
£ as a subset. The compilation process is specified in terms of meaning 
postulates which are defined on a case by case basis for the various kinds of 
Ontic expressions. 

The compilation process is incremental; if £' is an incremental extension 
of E then (?(£') can be constructed as an incremental extension of G(E). 
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When a new expression is typed to the top level Ontic interpreter new graph 
structure is incrementally added to represent that expression. When the 
system focuses on a term u of type r it is sometimes necessary to create a 
new variable of type r to bind to u. When a new variable is created new 
graph structure is automatically constructed to represent that variable. 
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Chapter 8 

Some Potential Applications 



There are two ways of evaluating the ideas used in the Ontic system. First, 
one can attempt to evaluate the utility of the ideas in constructing useful 
systems. Second, one can attempt to evaluate the extent to which Ontic's 
/"■"**, inference mechanisms provide a plausible model of human mathematical cog- 

nition. This chapter addresses the first evaluation technique by presenting 
a list of potential applications of automated inference systems. The appli- 
cations on this list represent directions for future research; the limitations 
of Ontic's object oriented inference techniques in these applications are not 
currently understood and future research may uncover other inference tech- 
niques which make these applications practical. 

One potential application for automated inference systems is simply the 
verification of mathematical arguments; an author could increase his con- 
fidence in the correctness of a proof using machine verification. The time 
required to "debug" the formal representation of proofs in the Ontic system 
seems to make this application impractical at the current time. However, 
as the inference power of the system is increased, and the lemma library is 
made larger, the system may approach the point where machine verification 
of new mathematics is practical. 

Automated inference mechanisms are needed in the construction of in- 
teractive knowledge bases. The Ontic system is able to automatically use 
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information from a lemma library. An Ontic system based on a lemma li- 
brary that contained the contents of a mathematical textbook could answer 
certain questions about the contents of that book. Such an interactive text- 
book might be valuable in education. If the system could be made to run 
with a very large lemma library, a library containing the contents of many 
textbooks, one could construct an interactive mathematical encyclopedia. 
An interactive encyclopedia could be used by professional mathematicians to 
answer questions and verify arguments in domains that were not familiar to 
the human user. 

Automated inference systems might also be useful in constructing inter- 
active documentation systems. A computer operating system, for example, is 
usually associated with a large amount of documentation. It may be possible 
to translate this documentation into first order axioms that can serve as a 
lemma library underlying an inference system. One would then have a de- 
vice for answering questions about the documented system. The problem of 
answering questions about engineered devices seems similar to, but possibly 
more difficult than, the problem of answering questions about the material 
f~*s : in a mathematical textbook. 

Ontic's object oriented inference mechanism may be useful for program 
verification. Ontic's type system is similar to the type systems of strongly 
typed programming languages. With sufficiently expressive types there is no 
distinction between type checking and verification; any verification problem 
for a computer program can be phrased as a type-checking problem. Ontic's 
object-oriented inference mechanisms are organized around types. It would 
be interesting to explore the application of Ontic's object-oriented inference 
mechanisms to program verification where verification is viewed as a form of 
type-checking. 

Another possible application for Ontic's object-oriented inference mech- 
anisms is common sense reasoning. In his naive physics manifesto Hayes 
proposed writing down first order axioms which express common sense knowl- 
edge about the physical world [Hayes 85]. One might object to Hayes' pro- 
posal on the grounds that first order inference is intractable. It is clear, 
however, that certain limited inferences can be done quickly. It would be 
interesting to explore the application of Ontic's inference mechanisms to rea- 
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soning about common sense situations. Another objection to Hayes' proposal 
is that much, if not most, common sense reasoning is heuristic: the conclu- 
sions are not strictly implied by the given information. The final section of 
this chapter suggests a way in which Ontic's object oriented inference mech- 
anisms could be extended to perform certain forms of heuristic reasoning. 



8.1 Interactive Knowledge Bases 

Ontic's object-oriented inference mechanisms are designed to automatically 
access a large lemma library. By placing various kinds of information in the 
knowledge base underlying an Ontic-like system one could construct inter- 
active mathematical textbooks, interactive mathematical encyclopedias, and 
interactive technical documentation libraries. 

Access to information in Ontic's lemma library is controlled via types: 
/•^ the inference mechanism accesses only those portions of the lemma library 

that concern types which apply to the given focus objects. For example, 
when reasoning about graphs the system automatically ignores facts about 
differentiable manifolds. Thus the lemma library could include information 
about a large number of different subjects and still be used effectively. 

There are several ways one could use an interactive mathematical ency- 
clopedia. First, the encyclopedia could be used to answer questions about 
areas of mathematics that are unfamiliar to the user. Second, the encyclo- 
pedia could verify a user's argument. This would be especially useful when 
the human user is unfamiliar with the subject matter of his own argument. 
Finally, a mathematician who develops a new concept could ask the system 
if that concept has already been defined under some other name. 

Recognizing user-defined concepts is particularly difficult; there may be 
a defined concept in the encyclopedia which is "essentially the same" as a 
user-defined concept but the two definitions are technically different. For 
example, consider the concept of an equivalence relation. An equivalence 
relation can be defined as a relation, i.e. a set of pairs, which is symmetric, 
transitive, and reflexive. Alternatively, an equivalence relation can be defined 
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as a partition of a set into equivalence classes. These two definitions seem 
to define the same concept and yet the two classes are technically disjoint: a 
partition is different from a set of pairs. It turns out that one can define a 
very general notion of iso-onticity under which equivalence relations (as sets 
of pairs) are iso-ontic to partitions [McAllester 83]. There are many other 
examples of iso-onticities between classes. For example a function / of two 
arguments defines a Curried function /' such that for for all arguments x and 
y, the application f'(x) yields a function such that 

/(*, y) = f'(x)(y) 

The function / is iso-ontic to its curried version /'. As another example 
consider a graph. A graph can be defined in two ways: a graph can be 
defined as a set of nodes together with a set of arcs where each arc is a set of 
two nodes. Alternatively, a graph could be defined as a set of nodes together 
with a symmetric anti-reflexive binary relation on those nodes. A relation, 
i.e. a set of pairs, is different from a set of arcs, i.e. a set of sets. A set of 
two-elements sets, however, is iso-ontic to a symmetric anti-reflexive binary 
relation. There are many examples of iso-onticities in mathematics. Ideally 
an interactive encyclopedia would recognize when a user-defined concept is 
iso-ontic to a concept that already exists in the encyclopedia. 



8.2 Software Verification 

Type checking has proved to be a practical way of finding certain errors in 
computer programs. Currently available type checking systems use a weak 
vocabulary of types — there is no way to treat an arbitrary predicate as a 
data type. If the type vocabulary is made richer then stronger "semantic" 
properties of programs can be expressed as type constraints. In fact, if any 
predicate on data structures can be expressed as a type then any semantic 
specification for a computer program can be expressed as type restrictions. 
For example, if iteration is replaced by recursion then a programmer can 
provide loop invariants simply by placing type restrictions on the arguments 
of recursive functions. 

If arbitrary predicates on data structures can be expressed as types then 
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type checking requires theorem proving. One might argue that, because the- 
orem proving is intractable, one should not use fully expressive type systems. 
This criticism carries little weight, however, if one is willing to allow type 
checking to fail. A failure to type check simply means that the system failed 
to prove the program correct; it does not mean that the program is wrong. 
Since Ontic's object-oriented theorem proving mechanisms are guaranteed to 
terminate quickly, a type checking system based on Ontic's theorem prov- 
ing mechanisms could also be made to terminate quickly. Programs which 
fail to type check are classified as "not obviously correct". Since the On- 
tic's inference mechanisms can automatically use a large lemma library, the 
power of a type checker based on Ontic could always be increased by adding 
more lemmas. Such lemmas could either be proved from first principles or 
simply added as axioms. Adding lemmas should cause more programs to be 
classified as obviously correct. 

Type checking has already been demonstrated to be practical for certain 
restricted type vocabularies. It seems likely that type checking using more 
expressive types would be equally practical in the sense that all types which 
*** are checked by existing systems could still be checked in the more general 

setting. A system with fully expressive types could gradually be extended 
to incorporate more powerful inference techniques under the constraint that 
type checking terminates quickly. 



8.3 Common Sense and Default Reasoning 



Hayes has proposed using first order logic as a language for representing 
common sense knowledge about the physical world [Hayes 85]. One possible 
objection to first order logic as a representation language is that theorem 
proving is intractable. It would be interesting to see if Ontic's object ori- 
ented theorem proving mechanisms could be used to answer common sense 
questions about the physical world using a formal fact library. 

Another objection to first order logic as a knowledge representation lan- 
guage is that common sense reasoning is often heuristic: heuristic reasoning 
produces conclusions which are likely, but not necessarily true. This observa- 
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tion has lead to the development of default logics and semantic network for- 
malisms that allow the cancellation of inheritance links [Fahlman 79] [Ether- 
ington & Reiter 83]. It seems likely that Ontic's object oriented inference 
mechanisms could be extended to handle certain kinds of heuristic inference. 
Ontic's inference mechanisms are organized around types. It seems plausible 
that heuristic knowledge could also be organized around types. More specif- 
ically one could introduce the quantifier FORMOST which is analogous to the 
quantifier FORALL. One could then write axioms such as the following 

(FORMOST ((X BIRD)) (IS X FLYING-ANIMAL)) 

One can assign truth values to FORMOST formulas by associating each type 
with a probability distribution over instances of that type. In general, a 
formula of the form 

(FORMOST «ar r)) $(x)) 

is true just in case the fraction of instances of type r which satisfy $(s) 
is above some threshold a. If the threshold a is large, say 95%, then a 
reasoning system might perform heuristic inferences by treating FORMOST the 
same way it treats FORALL: given that most birds fly, and Tweety is a bird, 
the system would "deduce" that Tweety flies. The facts that Tweety is a 
bird and that most birds fly do not imply that Tweety flies, or even that 
it is likely that tweety flies, whatever that means. People, however, will 
naturally conclude that Tweety probably flies. Thus heuristic inference is 
not semantically sound. However, unsound heuristic inference seems to be 
useful. 

The following example indicates that inclusion relationships between types 
play an important role in human heuristic reasoning. I will use the expression 

(ARE-MOST r a) 

as an abbreviation for 

(FORMOST d(x r)) (IS x a)) 

The following "inheritance network" concerning molluscs is adapted from 
[Etherington k Reiter 83]. 

(ARE-MOST MOLLUSC SHELL-BEARER) 
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(IS-EVERY CEPHALOPOD MOLLUSC) 

(ARE-MOST CEPHALOPOD (NOT-TYPE SHELL-BEARER)) 

(IS-EVERY NAUTILUS CEPHALOPOD) 

(IS-EVERY NAUTILUS SHELL-BEARER) 

Given the above information together with the statement that Squirmy 
is a mollusc one would naturally conclude that Squirmy is probably a shell- 
bearer. If one is then told that Squirmy is a cephalopod one would conclude 
that Squirmy is probably not a shell-bearer. Note that in this second case 
there is a conflict between two FORMOST assertions that apply to Squirmy: 
most molluscs have shells but most cephalopods do not have shells. In this 
case the known inclusion relationship between the types CEPHALOPOD and 
MOLLUSC seems to resolve the conflict. Finally, if one is told that Squirmy is 
a nautilus one would in fact know, according to the above information, that 
Squirmy is a shell bearer. 

If a reasoning system treats FORMOST assertions in the same way that 
f^' : it treats FORALL assertions it will perform unsound inferences. In particu- 

lar, each universal instantiation of a FORMOST assertion is unsound. If some 
unsound FORMOST instantiation produces a conclusion which conflicts with 
known information then that unsound instantiation inference should be re- 
tracted. Furthermore, if two unsound instantiations of FORMOST assertions are 
mutually contradictory, and there is an inclusion relation between the types 
quantified over in the two FORMOST assertions, then the FORMOST assertion 
with the more specific type should dominate and the unsound instantiation 
of the other FORMOST assertion should be retracted. More research is needed 
to determine if these guidelines lead to an efficient and useful heuristic rea- 
soning system. 
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Chapter 9 

A Summary of Ontic 



The Ontic system has the following features: 

f***\ • The Ontic formal language is organized around a rich vocabulary of 

types. 

- There are many different ways of constructing type expressions. 
Any predicate of one argument is a type. Type generators can be 
applied to arguments to yield types. There are special constructs 
such as WRITABLE-AS for constructing types from terms. Types 
can be combined with Boolean combinators to yield other types. 

- There are many different ways of using types. Types are used as 
predicates in formulas of the form (IS x r). Types restrict the 
range of quantifiers. A type can be used to construct a term via 
the operator THE. A type can be used to construct a set via the 
operator THE-SET-OF-ALL. Types can be directly related via the 
combinator IS-EVERY. 

- Types play a central role in Ontic's object-oriented inference mech- 
anisms. 

• Most of the axioms of Zermelo Fraenkel set theory are incorporated into 
the syntactic definition of a small type expression and a small function 
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expression; type and function expressions which are syntactically small 
can be reified via the operators THE-SET-OF-ALL and THE-RULE respec- 
tively. 

• Many modern theorem provers are based on some kind of backward 
chaining rewrite mechanism guided by a notion of simplification. On- 
tic is based on a forward chaining mechanism guided by a notion of 
focus. Ontic's forward chaining inference process is restricted to for- 
mulas which are about a given set of focus objects. 

• Ontic automatically finds and applies information from a large lemma 
library. The Ontic system classifies each focus object by findings types 
that are true of that object. If a focus object x is classified as being 
an instance of type r then the system automatically applies knowledge 
about the type r to the focus object x. 

• Ontic's inference mechanisms are implemented as labeling operations 
on a graph structure. The graph structure represents a compiled version 
of the lemma library and is analogous to a semantic network. The graph 
labeling process implements a virtual copy mechanism whereby a focus 
object becomes a virtual copy of a generic individual. 

• Ontic performs automatic universal generalization as part of its for- 
ward chaining inference process. In universal generalization the generic 
individuals in Ontic's graph structure are analogous to the Skolem con- 
stants introduced in a resolution theorem prover by a universally quan- 
tified goal formula. At other times the same generic individuals are used 
as universal variables which get instantiated with (bound to) focus ob- 
jects. At still other times generic individuals act as Skolem constants 
introduced by existential premises. The types associated with generic 
individuals are central to the automatic universal generalization mech- 
anism: the types determine the range of applicability of the derived 
universal statement. 

It is not clear which of the above features are most responsible for the 
power of the Ontic system. Some features are orthogonal to others. For 
example, the reification operations THE-SET-OF-ALL and THE-RULE could be 
removed from the system: no other feature of the system depends on the 



/^S 



/~\ 



r\ 



227 



reification operators. Similarly, the universal generalization mechanism could 
be removed without effecting any other mechanism. Other features are less 
modular. 

It would probably be possible to find some object-oriented forward chain- 
ing inference mechanism that does not use graph-labeling. Such a mecha- 
nism would be restricted so that variables are only instantiated with focus 
objects. Implementing congruence closure and automatic universal general- 
ization, however, might be difficult in a system that was based on formula 
manipulation rather than graph labeling. 

On the other hand, one can image a graph-labeling inference mechanism 
not guided by focus objects. In such a system bindings for generic individuals 
would be generated in some other way. Early versions of the Ontic system 
used graph-labeling inference mechanisms, including a virtual copy mecha- 
nism based on binding generic individuals, but did not use focus objects to 
guide the binding process. These early versions of the system did not per- 
form well. User-specified focus objects seem to be central to the operation 
of Ontic. 

All of the features of the Ontic system utilize types. In addition to provid- 
ing concise and natural formulas, types are central to accessing information 
in the lemma library, binding generic individuals, automatic universal gen- 
eralization, and reification. It is difficult to imagine any version of the Ontic 
system not organized around types. 

Knowledge representation and automated inference may ultimately have 
a profound effect on our society. Interactive encyclopedias may some day be 
able to answer questions about a large fraction of human knowledge. Such 
encyclopedias would make all current forms of publication obsolete. Thus, 
however the future judges the ideas presented here, I hope that research in 
inference and knowledge representation will continue. 



/•""N 



r> 



r*\ 



/""""% 



<"N 



Appendix A 

The Stone Representation 
Theorem 



This appendix contains a complete listing of a mathematical development 
which starts with a foundational system equivalent to ZFC set theory and 
ends with a proof of the Stone representation theorem. The listing contains 
three types of information: the definitions of all non-primitive terms used in 
the development, the lemmas proven, and the machine verified proof of each 
lemma. Definitions appear centered on the page while lemmas are shown in 
a left hand column next to their proofs which appear in a right hand column. 
The "proofs" are actually recorded histories of interactions with the Ontic 
interpreter. 

The listing is cumulative; at each point in the listing the system has access 
to all definitions and lemmas presented earlier in the listing. At any given 
point in the listing the definitions and lemmas given prior to that point are 
stored in a fact library that is accessed automatically by the system. At 
the end of the listing the accumulated fact library contains 509 facts: 154 
definitions and 355 lemmas. 

The listing is divided into sections each of which begins with an English 
description of the contents of that section. The first four sections introduce 
basic notions from set theory such as singleton and doubleton sets, unions 
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Section Number of Facts 

Fundamentals 95 

Pairs, Rules and Structures 39 

Maps 75 

Relations, Choice and Relation Structures 45 

Partial Orders and Zorn's Lemma 68 

Lattices 48 

Bounded, Distributive, and Complemented Lattices 40 

Sublattices 35 

Lattice Morphisms 25 

Filters and Ultrafilters 18 

The Stone Representation Theorem 21 

Total 509 

f\ Table A.l: The number of facts in each section 

and intersections, pairs, relations, structures, and functions. These first four 
sections contain 254 facts; roughly half the total. The remaining sections 
develop facts about partial orders, lattices, niters in lattices, and the Stone 
representation theorem. Table A.l shows the number of facts in each section. 
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A.l Fundamentals 



This section contains basic facts about sets. More specifically this section 
contains: 



• A proof of the existence and uniqueness of the empty set. 

• Facts about inserting objects into sets. 

• Facts about singleton and doubleton sets. 

• A version of Russel's paradox that proves that for every set there exists 
something not in that set. 

• Facts about families of sets. 

• Facts about unions and intersections of sets. 

• Facts about removing objects from sets. 

• Facts about power sets. 

We begin with the empty set: 

(DEFTYPE EMPTY-SET 
(LAMBDA ((S SET)) 
(HOT 

(EXISTS-SOME 

(MEMBER-OF S))))) 

(LEMMA (EXISTS-SOME EMPTY-SET)) (IB-CONTEXT 

((PUSH-GOAL (EXISTS-SOME EMPTY-SET)) 
(LET-BE S SET) 
(LET-BE S2 

(THE-SET-OF-ALL (X (MEMBER-OF S)) 
(NOT (= X X))))) 
(NOTE-GOAD) 

(LEMMA (AT-MOST-ONE EMPTY-SET)) (IN-CONTEXT 

((LET-BE SI EMPTY-SET) 
(LET-BE S2 EMPTY-SET)) 
(NOTE (AT-MOST-ONE EMPTY-SET))) 
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APPENDIX A. THE STONE REPRESENTATION THEOREM 



(DEFTERH THE-EHPTY-SET 
(THE EMPTY-SET)) 



(LEMMA 
(NOT 

(EXISTS-SOME 

(HEMBER-OF THE-EMPTY-SET)))) 



(IN-CONTEXT 

((LET-BE S THE-EHPTY-SET)) 
(BOTE 
(HOT 
(EXISTS-SOME 

(MEMBER-OF THE-EMPTY-SET))))) 



(DEFTERH (INSERT (X THING) (S SET)) 
(THE-SET-OF-ALL 

(OR-TYPE (EQUAL-TO X) 

(MEHBER-OF S)))) 



f**\ 



(FORALL ((Y THING) 




(S SET)) 


(IS 


(INSERT Y S) 


• 


SET))) 


(LEMMA 




(FORALL ((X THING) 




(Y THING) 




(S SET)) 


(IS 


(INSERT X (INSERT Y S)) 




SET))) 


(LEMMA 




(FORALL ((Y THING) 




(X THING) 




(S SET)) 


( = 


(INSERT X (INSERT Y S)) 




(INSERT Y (INSERT X S))))) 



(IN-CONTEXT 

((LET-BE Y THING) 
(LET-BE X THING) 
(LET-BE S SET) 
(LET-BE IY (INSERT Y S)) 
(LET-BE IXY (INSERT X IY))) 

(NOTE (IS IY SET)) 
(NOTE (IS IXY SET)) 

(IN-CONTEXT 

((LET-BE IX (INSERT X S)) 
(LET-BE IYX (INSERT Y IX)) 
(PUSH-GOAL (= IXY IYX))) 
(IN-CONTEXT 

((PUSH-GOAL (IS IXY (SUBSET-OF IYX)))) 
(IN-CONTEXT 

((LET-BE Z (MEHBER-OF IXY))) 
(IN-CONTEXT 

((PUSH-GOAL (IS Z (HEHBER-DF IYX)))) 
(IN-CONTEXT 

((SUPPOSE (= Z X))) 
(NOTE-GOAL)) 
(IN-CONTEXT 

((SUPPOSE (= Z Y))) 
(NOTE-GOAL)) 
(NOTE-GOAL))) 
(NOTE+GENERALIZE-GOAL) ) 
(NOTE-GOAL))) 
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(LEMMA 

(FORALL ((S SET 

(EXISTS-SOHE 

(HEHBER-DF S))) 
(X (HEMBER-OF S)) 
(S2 (SUBSET-OF S))) 
(IS (IHSERT X S2) 

(SUBSET-OF S)))) 



(IH-COHTEXT 

((LET-BE S SET 

(EXISTS-SOHE (MEHBER-OF S))) 
(LET-BE S2 (SUBSET-OF S)) 
(LET-BE X (MEHBER-OF S)) 
(LET -BE SX2 (IHSERT X S2)) 
(PUSH-GOAL (IS SX2 (SUBSET-OF S)))) 
(IH-COHTEXT 

((LET-BE Y (HEHBER-OF SX2))) 
(IH-COHTEXT 

((PUSH-GOAL (IS Y (HEHBER-OF S)))) 
(IH-COHTEXT 

((SUPPOSE (IS Y (HEHBER-OF S2)))) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD)) 



(LEMHA 

(FORALL ((X THIHG) (S SET)) 
(= (IHSERT X S) 
(IHSERT X 

(IHSERT X S))))) 



/"> 



(IH-COHTEXT 

((LET-BE X THIHG) 
(LET-BE S SET) 
(LET -BE S2 (IHSERT X 
(LET-BE S3 (IHSERT X 



S)) 
S2)) 



(PUSH-GOAL (= S2 S3))) 
(IH-COHTEXT 

((PUSH-GOAL (IS S3 (SUBSET-OF S2))) 
(LET-BE Y (MEMBER-OF S3))) 
(IH-COHTEXT 

((PUSH-GOAL (IS Y (HEHBER-OF S2)))) 
(IH-COHTEXT 

((SUPPOSE (= Y X))) 
(NOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD ) 
(HOTE-GOAD ) 



The DEFMOTATIOM construct allows the user to define macros. The fol- 
lowing form defines the operator MAKE-SET so that (MAKE-SET X) abbrevi- 
ates (INSERT X THE-EMPTY-SET) and (MAKE-SET XI X2 . . .XN) abbreviates 
(INSERT XI (MAKE-SET X2...XN)). 



(DEFHOTATIOH (HAKE-SET SREST ELEHENTS) 
(IF (HULL ELEHEHTS) 
'THE-EHPTY-SET 
'(IHSERT ,(CAR ELEHEHTS) 

(HAKE-SET ,®(CDR ELEHEHTS))))) 
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(LEHHA 

(FORALL ((X THING)) 

(IS (MAKE-SET X) SET))) 



(LEMMA 

(FORALL ((X THING)) 

(IS X (MEMBER-OF (MAKE-SET X))))) 



(IN-CONTEXT 

((LET-BE X THING) 
(LET-BE E THE-EMPTY-SET)) 
(NOTE (IS (INSERT X E) SET)) 
(NOTE (IS X (MEMBER-OF (INSERT X E)))) 
(IN-CONTEXT 

((LET-BE Y (MEMBER-OF (INSERT X E)))) 
(NOTE (= X Y)))) 



(LEMMA 

(FORALL 

((X THING) 
(Y (MEMBER-OF (MAKE-SET X)))) 
(= X Y))) 



(DEFTYPE SINGLETON-SET 

(WRITABLE-AS (MAKE-SET X) 
(X THING))) 
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(LEMMA (FORALL ((S SINGLETON-SET)) 
(IS S SET))) 



(LEHMA (FORALL ((SI SINGLETON-SET)) 

(EXISTS-SOME (MEMBER-OF SI)))) 



(LEMMA (FORALL ((SI SINGLETON-SET)) 

(AT-MOST-ONE (MEMBER-OF SI)))) 



(IN-CONTEXT 

((LET-BE SI SINGLETON-SET) 
(WRITE-AS SI (MAKE-SET X) 
(X THING))) 
(NOTE (IS SI SET)) 

(NOTE (EXISTS-SOME (MEMBER-OF SI))) 
(IN-CONTEXT 

((LET-BE Yl (MEMBER-OF SI)) 
(LET-BE Y2 (MEMBER-OF SI))) 
(NOTE (AT-MOST-ONE (MEMBER-OF SI))))) 



(LEMMA 

(FORALL ((S SET)) 

(=> (EXACTLY-ONE (MEMBER-OF S)) 
(= S 

(MAKE-SET 

(THE (MEMBER-OF S))))))) 



(LEMMA 

(FORALL ((S SET)) 

(=> (EXACTLY-ONE (MEMBER-OF S)) 
(IS S SINGLETON-SET)))) 



(IN-CONTEXT 

((LET-BE S SET) 
(SUPPOSE (EXACTLY-ONE (MEMBER-OF S))) 
(LET-BE THE-HEMBER 

(THE (MEMBER-OF S))) 
(LET-BE S2 (MAKE-SET THE-MEMBER) ) ) 
(NOTE (= S S2)) 
(NOTE (IS S SINGLETON-SET))) 
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(LEMMA 

(FORALL ((X THING) 
(Y THING)) 
(IS (MAKE-SET X Y) 
SET))) 



(LEMMA 

(FORALL ((Y THIHG) 
(X THIHG)) 
(IS X (MEMBER-OF (MAKE-SET X Y))))) 



(IH-COHTEXT 

((LET-BE X THIHG) 
(LET-BE Y THIHG) 
(LET-BE SY (MAKE-SET Y)) 
(LET-BE SXY (INSERT X SY))) 
(HOTE (IS SXY SET)) 
(NOTE (IS X (MEMBER-OF SXY))) 
(IH-COHTEXT 

((LET-BE Z (MEMBER-OF SXY))) 
(HOTE (OR (= Z X) 

(= Z Y))))) 



(LEMMA 

(FORALL ((X THIHG) 
(Y THING) 
(Z (MEMBER-OF 

(MAKE-SET X Y)))) 
(OR (= Z X) 

(= Z Y)))) 



S~S 



(LEMMA 

(FORALL ((Y THING) 
(X THING)) 
(= (MAKE-SET X Y) 
(MAKE-SET Y X)))) 



(IN-CONTEXT 

((LET-BE X THIHG) 
(LET-BE Y THING) 
(LET-BE E THE-EMPTY-SET)) 
(NOTE (= (MAKE-SET X Y) 

(MAKE-SET Y X)))) 



(LEMMA 

(FORALL ((Y THIHG) 
(X THIHG) 
(Z THIHG)) 
(= (MAKE-SET X Y Z) 
(MAKE-SET Y X Z)))) 



(IN-CONTEXT 

((LET-BE X THING) 
(LET-BE Y THIHG) 
(LET-BE Z THIHG) 
(POSH-GOAL 

(= (MAKE-SET X Y Z) 
(MAKE-SET Y X Z)))) 
(IN-CONTEXT 

((LET-BE S (MAKE-SET Z))) 
(HOTE-GOAL))) 



(DEFTYPE (NOT-EQUAL-TO (X THING)) 
(LAMBDA ((Y THING)) 
(NOT (= X Y)))) 
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(LEMMA 

(FORALL ((S SET)) 
(EXISTS ((X THIHG)) 

(NOT (IS X (MEBBER-OF S)))))) 



Russell's Paradox: 
(IH-COHTEXT 

((LET-BE S SET) 
(SUPPOSE 

(FORALL ((X THIHG)) 

(IS X (MEMBER-OF S)))) 
(LET-BE S2 

(THE-SET-OF-ALL 
(X (MEMBER-OF S)) 
(HOT (IS X (MEMBER-OF X)))))) 
(IH-COHTEXT 

((SUPPOSE (IS S2 (MEMBER-OF S2)))) 
(HOTE-CONTRADICTIOH) ) 
(HOTE-COHTRADICTIOH) ) 



(LEMMA 

(FORALL ((X THIHG)) 

(EXISTS-SOME (HOT-EQUAL-TO X)))) 



(IH-COHTEXT 

((LET-BE X THIHG) 
(LET-BE SX (MAKE-SET X)) 
(LET-BE Y THIHG 

(HOT (IS Y (MEMBER-OF SX))))) 
(HOTE (EXISTS-SOME (HOT-EQUAL-TO X)))) 
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(DEFTYPE DOUBLETOH-SET 

(WRITABLE-AS (MAKE-SET X Y) 
(X THIHG) 
(Y (HOT-EqUAL-TO X)))) 



(LEMMA (EXISTS-SOME DOUBLETOH-SET)) 



(IH-COHTEXT 

((LET-BE X THIHG) 
(LET-BE Y (HOT-EQUAL-TO X))) 
(HOTE (EXISTS-SOME DOUBLETOH-SET))) 
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(DEFTYPE (OTHER-HEHBER (S SET) (X (HEHBER-OF S))) 
(AHD-TYPE (HEHBER-OF S) (NOT-EQUAL-TO X))) 
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(LEHHA 

(FORALL ((S DOUBLETON-SET)) 
(IS S SET))) 



(LEHHA 

(FORALL ((S DOUBLETOH-SET)) 
(NOT (IS S SIHGLETOH-SET)))) 



(LEHHA 

(FORALL ((S DOUBLETOH-SET)) 
(EXISTS-SOHE (HEHBER-OF S)))) 



(LEHHA 

(FORALL ((S DOUBLETOH-SET) 
(Z (HEHBER-OF S))) 
(EXISTS-SOHE (OTHER-HEHBER S Z)))) 



(LEHHA 

(FORALL ((S DOUBLETOH-SET) 
(Z (HEMBER-OF S))) 
(AT-HOST-OHE (OTHER-HEHBER S Z)))) 



(LEMMA 

(FORALL ((S DOUBLETOH-SET) 
(Z (MEMBER-OF S))) 
(= S 

(MAKE-SET 
Z 
(THE (OTHER-HEHBER S Z)))))) 



(IH-COHTEXT 

((LET-BE S DOUBLETOH-SET) 
(WRITE-AS S (HAKE-SET X Y) 
(X THIHG) 
(Y (HOT-EQUAL-TO X)))) 

(HOTE (IS S SET)) 

(BOTE (HOT (IS S SIHGLETOH-SET))) 

(HOTE (EXISTS-SOHE (MEHBER-OF S))) 

(IH-COHTEXT 

((LET-BE Z (MEHBER-OF S))) 

(IH-COHTEXT 

((PUSH-GOAL 

(EXISTS-SOHE 

(OTHER-MEHBER S Z)))) 

(IH-COHTEXT 

((SUPPOSE (= Z X))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 

(IH-COHTEXT 

((PUSH-GOAL 

(AT-HOST-OHE (OTHER-MEMBER S Z))) 
(LET-BE Wl (OTHER-HEMBER S Z)) 
(LET-BE W2 (OTHER-HEMBER S Z))) 

(IH-COHTEXT 

((SUPPOSE (= Z X))) 
(HOTE-GOAD) 
(HOTE-GOAD) 

(IH-COHTEXT 
((PUSH-GOAL 
(= S 

(MAKE-SET 
Z 

(THE (OTHER-MEMBERS Z)))))) 
(IH-COHTEXT 

((SUPPOSE (= X Z))) 
(HOTE-GOAD) 
(HOTE-GOAL)))) 



(LEMMA 
(FORALL ((S SIHGLETOH-SET)) 
(HOT (IS S DOUBLETOH-SET)))) 



(IH-COHTEXT 

((LET-BE S SIHGLETOH-SET) 
(LET-BE X (THE (MEMBER-OF S)))) 
(HOTE (HOT (IS S DOUBLETOH-SET)))) 
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(DEFTYPE (SET-COHTAIHIHG (X THIHG)) 
(LAMBDA ((S SET)) 

(IS X (MEMBER-OF S)))) 

(DEFTYPE (SUPERSET-OF (SI SET)) 
(LAHBDA ((S2 SET)) 

(IS SI (SUBSET-OF S2)))) 

(DEFTYPE (PROPER-SUPERSET-OF (S SET)) 

(AHD-TYPE (SUPERSET-OF S) (MOT-EQUAL-TO S))) 

(DEFTYPE (PROPER-SUBSET-OF (S SET)) 

(AHD-TYPE (SUBSET-OF S) (HOT-EQUAL-TO S))) 

(DEFTYPE (HOT-MEMBER-OF (S SET)) 
(LAMBDA ((X THIHG)) 

(HOT (IS X (MEHBER-OF S))))) 

(DEFTYPE HOH-EMPTY-SET 
(LAMBDA ((S SET)) 

(EXISTS-SOME (MEMBER-OF S)))) 

(LEMMA (EXISTS-SOME HOH-EMPTY-SET)) (IH-CONTEXT 
j^\ ((LET-BE X THIHG) 

(LET-BE SX (MAKE-SET X))) 
(BOTE (EXISTS-SOME HOH-EMPTY-SET))) 

(DEFTYPE (HOH-EMPTY-SUBSET-OF (S HOH-EMPTY-SET) ) 
(AHD-TYPE (SUBSET-OF S) HOH-EMPTY-SET)) 

(LEMMA (FORALL ((S SET) (IH-COHTEXT 

(S2 (SUBSET-OF S)) ((LET-BE S SET) 

(S3 (SUBSET-OF S2))) (LET-BE S2 (SUBSET-OF S)) 
(IS S3 (SUBSET-OF S)))) (LET-BE S3 (SUBSET-OF S2)) 

(PUSH-GOAL (IS S3 (SUBSET-OF S)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (MEHBER-OF S3))) 
(LET-BE X (MEMBER-OF S3))) 
(HOTE-GOAD) 
(HOTE-GOAD) 

(DEFTYPE FAMILY-OF-SETS 

(LAMBDA ((F HOH-EMPTY-SET)) 

(IS-EVERY (MEMBER-OF F) SET))) 
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(LEMMA (FORALL ((SI SET)) 

(IS (INSERT Si THE-EMPTY-SET) 
FAMILY-OF-SETS))) 



(LEMMA (EXISTS-SOME FAMILY-OF-SETS)) 



(IN-CONTEXT 

((LET-BE SI SET)) 
(IN-CONTEXT 

((LET-BE Fl (MAKE-SET SI)) 
(LET-BE S (HEMBER-OF Fl))) 
(NOTE (IS Fl FAHILY-OF-SETS)) 
(NOTE (EXISTS-SOME FAMILY-OF-SETS)))) 



(LEMMA 

(FORALL ((S SET) 

(Fl FAMILY-OF-SETS)) 
(IS (INSERT S Fl) 

FAMILY-OF-SETS))) 



(IN-CONTEXT 

((LET-BE S SET) 
(LET-BE Fl FAMILY-OF-SETS) 
(LET-BE F2 (INSERT S Fl)) 
(PUSH-GOAL (IS F2 FAMILY-OF-SETS))) 
(IN-CONTEXT 

((LET-BE FMEM (MEMBER-OF F2))) 
(IN-CONTEXT 

((PUSH-GOAL (IS FMEM SET))) 
(IN-CONTEXT 

((SUPPOSE (= FMEM S))) 
(NOTE-GOAL)) 
(NOTE-GOAD) 
(NOTE-GOAL))) 
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(LEMMA 

(FORALL ((S2 SET) 
(S3 SET)) 
(IS (MAKE-SET S2 S3) 
FAMILY-OF-SETS))) 



(LEMMA 

(FORALL ((SI SET) 
(S2 SET) 
(S3 SET)) 
(IS (MAKE-SET SI S2 S3) 
FAMILY-OF-SETS))) 



(IN-CONTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE S3 SET)) 
(IN-CONTEXT 

((LET-BE Fl (MAKE-SET S3)) 
(LET-BE F2 (MAKE-SET S2 S3)) 
(LET-BE F3 (MAKE-SET SI S2 S3))) 
(NOTE (IS F2 FAMILY-OF-SETS)) 
(NOTE (IS F3 FAMILY-OF-SETS)))) 



(LEMMA 
(FORALL ((S NON-EMPTY-SET) 
(X (MEMBER-OF S)) 
(Y (MEMBER-OF S))) 
(IS (MAKE-SET X Y) 
(SUBSET-OF S)))) 



(IN-CONTEXT 

((LET-BE S NON-EMPTY-SET) 
(LET-BE X (MEMBER-OF S)) 
(LET-BE Y (MEMBER-OF S)) 
(LET-BE SXY (MAKE-SET X Y)) 
(PUSH-GOAL (IS SXY (SUBSET-OF S)))) 
(IN-CONTEXT 

((LET-BE Z (MEMBER-OF SXY))) 
(IN-CONTEXT 

((PUSH-GOAL (IS Z (MEMBER-OF S)))) 
(IN-CONTEXT 

((SUPPOSE (= Z X))) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 
(NOTE-GOAL))) 
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(LEHHA 

(FORALL ((S BOB-EHPTY-SET) 
(X (HEHBER-OF S)) 
(Y (HEHBER-OF S)) 
(Z (HEHBER-OF S))) 
(IS (HAKE-SET X Y Z) 
(SUBSET-OF S)))) 



(IB-COBTEXT 

((LET-BE S BOB-EMPTY-SET) 
(LET-BE X (HEHBER-OF S)) 
(LET-BE Y (HEHBER-OF S)) 
(LET-BE Z (HEHBER-OF S)) 
(LET-BE S2 (HAKE-SET X Y Z)) 
(PUSH-GOAL (IS S2 (SUBSET-OF S)))) 
(IN-COBTEXT 

((LET-BE S3 (HAKE-SET Y Z))) 
(BOTE-GOAL))) 



(DEFTYPE (HEHBER-OF-HEHBER (F FAHILY-OF-SETS)) 
(HRITABLE-AS Z 

(Z (HEHBER-OF Y)) 
(Y (HEHBER-OF F)))) 

(DEFTERH (FAHILY-UNIOB (F FAHILY-OF-SETS)) 
(THE-SET-OF-ALL (HEHBER-OF-HEHBER F))) 
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(LEHMA 

(FORALL ((F FAHILY-OF-SETS)) 
(IS (FAHILY-UBIOB F) SET))) 

(LEMMA 

(FORALL ((F FAHILY-OF-SETS) 
(S (HEMBER-OF F))) 
(IS S (SUBSET-OF 

(FAHILY-UBIOB F))))) 

(LEHHA 

(FORALL ((F FAHILY-OF-SETS) 
(S SET 

(IS-EVERY 

(HEMBER-OF F) 
(SUBSET-OF S)))) 
(IS (FAMILY-UBIOB F) 
(SUBSET-OF S)))) 



(IB-COHTEXT 

((LET-BE F FAHILY-OF-SETS) 
(LET-BE UBIOB-F (FAHILY-UBIOB F))) 

(BOTE (IS UBIOB-F SET)) 

(IB-COBTEXT 

((LET-BE S (HEHBER-OF F)) 

(PUSH-GOAL (IS S (SUBSET-OF UBIOB-F)))) 
(IB-COBTEXT 

((SUPPOSE (EXISTS-SOHE (HEMBER-OF S))) 

(LET-BE X (HEHBER-OF S))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 

(IB-COBTEXT 
((LET-BE S SET 

(IS-EVERY (HEHBER-OF F) (SUBSET-OF S))) 
(PUSH-GOAL (IS UBIOB-F (SUBSET-OF S)))) 
(IB-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE (HEHBER-OF UBIOB-F) ) ) 
(LET-BE X (MEMBER-OF UBIOB-F)) 
(LET-BE S2 (HEHBER-OF F) 
(IS X (MEMBER-OF S2)))) 
(BOTE-GOAL)) 
(BOTE-GOAL))) 
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(DEFTERM (UNION (SI SET) (S2 SET)) 
(FAMILY-UNION (MAKE-SET SI S2))) 



(LEHMA 
(FORALL ((SI SET) 
(S2 SET)) 
(IS (OTION SI S2) SET))) 



(LEHMA 

(FORALL ((S2 SET) 
(SI SET)) 
(IS SI 

(SUBSET-OF (OTIOH SI S2))))) 



(LEHMA 

(FORALL ((SI SET) (S2 SET)) 
(= (UNION SI S2) 
(THE-SET-OF-ALL 

(OR-TYPE (HEMBER-OF SI) 

(MEMBER-OF S2)))))) 



f\ 



(IN-CONTEXT ((LET -BE SI SET) 
(LET -BE S2 SET) 
(LET-BE F (MAKE-SET SI S2)) 
(LET-BE USET (OTIOH Si S2))) 

(NOTE (IS USET SET)) 

(NOTE (IS SI (SUBSET-OF USET))) 

(IN-COBTEXT 

( (LET-BE USET2 

(THE-SET-OF-ALL 

(OR-TYPE (MEMBER-OF SI) 

(MEMBER-OF S2)))) 
(PUSH-GOAL (= USET USET2))) 

(IN-CONTEXT 

((PUSH-GOAL (IS USET (SUBSET-OF USET2)))) 
(IN-CONTEXT 

((SUPPOSE 

(EXISTS-SOME (MEMBER-OF USET))) 
(LET-BE X (MEMBER-OF USET) ) 
(LET-BE S3 (MEMBER-OF F) 
(IS X (MEMBER-OF S3)))) 

(IN-CONTEXT 

((PUSH-GOAL (IS X (MEMBER-OF USET2)))) 
(IN-CONTEXT 

((SUPPOSE (= S3 SI))) 
(NOTE-GOAD) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 
(NOTE-GOAD) 

(IN-CONTEXT 

((PUSH-GOAL (IS USET2 (SUBSET-OF USET)))) 
(IN-CONTEXT 

((SUPPOSE 

(EXISTS-SOME (MEMBER-OF USET2))) 
(LET-BE X (HEMBER-OF USET2))) 

(IN-CONTEXT 

((PUSH-GOAL (IS X (MEMBER-OF USET)))) 
(IN-CONTEXT 

((SUPPOSE (IS X (MEMBER-OF Si)))) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(BOTE-GOAL))) 



f~\ 
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(FORALL ((SI 


SET) 




(S2 


SET) 




(S3 


(AND-TYPE 

(SUPERSET-OF SI) 
(SUPERSET-OF S2)))) 


(IS 


S3 






(SUPERSET-OF (UNION SI S2))))) 



(IN-CONTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE F (HAKE-SET SI S2)) 
(LET-BE USET (UNION SI S2)) 
(LET-BE S3 (AND-TYPE (SUPERSET-OF SI) 

(SUPERSET-OF S2))) 
(PUSH-GOAL 

(IS S3 (SUPERSET-OF (FAMILY-UNION F))) )) 

(IN-CONTEXT 

((LET-BE S4 (HEHBER-OF F))) 
(IN-CONTEXT 

((PUSH-GOAL (IS S4 (SUBSET-OF S3)))) 
(IN-CONTEXT 

((SUPPOSE (= S4 SI))) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAL))) 



(DEFTERM (FAKILY-INTERSECTION (F FAHILY-OF-SETS)) 
(THE-SET-OF-ALL (X (MEMBER-OF-KEMBER F)) 

(IS-EVERY (HEHBER-OF F) (SET-CONTAINING X)))) 



/-\ 



(LEHHA 

(FORALL ((F FAHILY-OF-SETS)) 

(IS (FAMILY-INTERSECTION F) SET))) 



(LEMMA 

(FORALL ((F FAHILY-OF-SETS) 
(S (HEHBER-OF F))) 
(IS S 

(SUPERSET-OF 

(FAHILY-INTERSECTION F))))) 



(LEHMA 

(FORALL ((F FAHILY-OF-SETS) 
(S SET 

(FORALL 

((MEM2 (HEMBER-OF F))) 
(IS MEH2 

(SUPERSET-OF S))))) 
(IS (FAMILY-INTERSECTION F) 
(SUPERSET-OF S)))) 



(IN-CONTEXT 

((LET-BE F FAMILY-OF-SETS) 
(LET-BE INTERSECTION-F 

(FAHILY-INTERSECTION F))) 

(NOTE (IS INTERSECTION-F SET)) 

(IN-CONTEXT 

((LET-BE S (MEHBER-OF F)) 
(PUSH-GOAL 

(IS S (SUPERSET-OF INTERSECTION-F)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME 

(MEMBER-OF INTERSECTION-F))) 
(LET-BE X (MEMBER-OF INTERSECTION-F))) 
(NOTE-GOAD) 
(NOTE-GOAD) 

(IN-CONTEXT 

((LET-BE S SET 

(IS-EVERY (MEHBER-OF F) 

(SUPERSET-OF S))) 
(PUSH-GOAL 

(IS INTERSECTION-F (SUPERSET-OF S)))) 
(IN-CONTEXT 

((SUPPOSE (EXISTS-SOME (MEMBER-OF S))) 
(LET-BE X (HEMBER-OF S)) 
(LET-BE S2 (HEMBER-OF F))) 
(NOTE-GOAD) 
(NOTE-GOAL))) 
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(DEFTERH (IBTERSECTIOH (SI SET) (S2 SET)) 
(FAMILY-IHTERSECTIOB (HAKE-SET SI S2))) 



(LEHHA 

(FORALL ((SI SET) 
(S2 SET)) 
(IS (IBTERSECTIOB SI S2) SET))) 



(LEHHA 

(FORALL ((S2 SET) 
(SI SET)) 
(IS SI 

(SUPERSET-OF 

(IBTERSECTIOB Si S2))))) 



(LEHHA 

(FORALL ((Si SET) (S2 SET)) 
(= (IBTERSECTIOB Si S2) 
(THE-SET-OF-ALL 

(AMD-TYPE (MEHBER-OF Si) 

(HEHBER-OF S2)))))) 



^""*\ 



(IB-COBTEXT 

((LET-BE Si SET) 
(LET-BE S2 SET) 
(LET-BE F (HAKE-SET Si S2)) 
(LET-BE ISET (IHTERSECTIOB SI S2))) 

(BOTE (IS ISET SET)) 

(BOTE (IS Si (SUPERSET-OF ISET))) 

(IH-CONTEXT 

((LET-BE ISET2 

(THE-SET-OF-ALL 

(AHD-TYPE (MEMBER-OF SI) 

(HEHBER-OF S2)))) 
(PUSH-GOAL (= ISET ISET2))) 

(IB-COBTEXT 

((PUSH-GOAL (IS ISET (SUBSET-OF ISET2)))) 
(IB-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEMBER-OF ISET))) 
(LET-BE X (MEMBER-OF ISET))) 
(BOTE-GOAD) 
(BOTE-GOAD) 

(IB-COHTEXT 

((PUSH-GOAL (IS ISET2 (SUBSET-OF ISET)))) 
(IH-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEHBER-OF ISET2))) 
(LET-BE X (HEHBER-OF ISET2)) 
(LET-BE S3 (HEHBER-OF F))) 
(IB-COBTEXT 

((PUSH-GOAL (IS X (HEHBER-OF S3)))) 
(IN-COBTEXT 

((SUPPOSE (= S3 SI))) 
(BOTE-GOAD) 
(BOTE-GOAL)) 
(BOTE-GOAD) 
(BOTE-GOAD) 

(BOTE-GOAD)) 
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(LEHMA 








(FORALL ((SI 


SET) 






(S2 


SET) 






(S3 


(AND-TYPE 








(SUBSET- 


•OF SI) 






(SUBSET- 


•OF S2)))) 


(IS 


S3 








(SUBSET-OF 






(IHTERSECTIOH SI S2))))) 



(IH-COHTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE F (HAKE-SET SI S2)) 
(LET-BE ISET (IHTERSECTIOH SI S2)) 
(LET-BE S3 (AND-TYPE (SUBSET-OF SI) 

(SUBSET-OF S2))) 
(PUSH-GOAL (IS S3 (SUBSET-OF ISET)))) 

(IH-COHTEXT 

((LET-BE S4 (MEHBER-OF F))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS S4 (SUPERSET-OF S3)))) 
(IH-COHTEXT 

((SUPPOSE (= S4 SI))) 
(HOTE-GOAD) 
(HOTE-GOAL)) 
(HOTE-GOAD) ) 



/**% 
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(LEMMA 

(FORALL ((S2 SET) 
(SI SET) 
(S3 SET)) 
(= (INTERSECTION SI 

(UNION S2 S3)) 
(UNION (INTERSECTION SI S2) 

(INTERSECTION SI S3))))) 



f\ 



(IN-CONTEXT 

((LET-BE SI SET) 
(LET -BE S2 SET) 
(LET-BE S3 SET) 

(LET-BE U-S2-S3 (UNION S2 S3)) 
(LET-BE I-S1-S2 (INTERSECTION SI S2)) 
(LET-BE I-S1-S3 (INTERSECTION SI S3)) 
(LET-BE ISET (INTERSECTION SI U-S2-S3)) 
(LET-BE USET (UNION I-S1-S2 I-S1-S3)) 
(PUSH-GOAL (= ISET USET))) 

(IN-CONTEXT 

((PUSH-GOAL (IS ISET (SUBSET-OF USET)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF ISET))) 
(LET-BE X (MEMBER-OF ISET))) 

(IN-CONTEXT 

((PUSH-GOAL (IS X (MEMBER-OF USET)))) 
(IN-CONTEXT 

((SUPPOSE (IS X (MEMBER-OF S2)))) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 

(IN-CONTEXT 

((PUSH-GOAL (IS USET (SUBSET-OF ISET)))) 
(IF-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF USET))) 
(LET-BE X (MEMBER-OF USET) ) ) 
(IN-CONTEXT 

((PUSH-GOAL (IS X (MEMBER-OF ISET)))) 
(IN-CONTEXT 
((SUPPOSE 

(IS X (MEMBER-OF I-S1-S2)))) 
(NOTE-GOAL)) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAL)) 

(NOTE-GOAD) 



/***% 
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(LEHHA 

(FORALL ((S2 SET) 
(SI SET) 
(S3 SET)) 
(= (UNION SI 

(INTERSECTION S2 S3)) 
(INTERSECTION (UNION SI S2) 

(UNION SI S3))))) 



(IN-CONTEXT 

((LET-BE Si SET) 
(LET-BE S2 SET) 
(LET-BE S3 SET) 

(LET-BE I-S2-S3 (INTERSECTION S2 S3)) 
(LET-BE U-S1-S2 (UNION SI S2)) 
(LET-BE U-S1-S3 (UNION SI S3)) 
(LET-BE USET (UNION SI I-S2-S3)) 
(LET-BE ISET (INTERSECTION U-S1-S2 U-Sl- 
(PUSH-GOAL (= USET ISET))) 



^ aBs v, 



S3)) 



(IN-CONTEXT 

((PUSH-GOAL (IS USET (SUBSET-OF ISET)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEMBER-OF USET))) 
(LET-BE X (MEHBER-OF USET) ) ) 
(IN-CONTEXT 

((PUSH-GOAL (IS X (HEHBER-OF ISET)))) 
(IN-CONTEXT 

((SUPPOSE (IS X (MEMBER-OF SI)))) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 
(NOTE-GOAD) 
(NOTE-GOAL)) 

(IN-CONTEXT 

((PUSH-GOAL (IS ISET (SUBSET-OF USET)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEMBER-OF ISET))) 
(LET-BE X (MEKBER-OF ISET))) 

(IN-CONTEXT 

((PUSH-GOAL (IS X (MEMBER-OF USET)))) 
(IN-CONTEXT 

((SUPPOSE (IS X (MEMBER-OF SI)))) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAD) 

(NOTE-GOAD) 
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(LEMMA 
(FORALL ((SI SET) 

(S3 (SUBSET-OF SI)) 
(S2 SET)) 
(IS (UNION S3 S2) 

(SUBSET-OF (UNION SI S2))))) 



(IH-CONTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE S3 (SUBSET-OF SI)) 
(LET-BE USETi 

(UBION SI S2)) 
(LET-BE USET2 

(UBIOB S3 S2)) 
(PUSH-GOAL (IS USET2 (SUBSET-OF USETI)))) 
(IB-COBTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF USET2))) 
(LET-BE X (MEMBER-OF USET2))) 
(IH-COHTEXT 

((PUSH-GOAL (IS X (MEMBER-OF USETI)))) 
(IN-COHTEXT 

((SUPPOSE (IS X (MEMBER-OF S3)))) 
(HOTE-GOAD) 
(NOTE-GOAL)) 
(BOTE -GOAL)) 
(HOTE-GOAD) 



/-v 



(LEMMA 

(FORALL ((SI SET) 

(S3 (SUBSET-OF SI)) 
(S2 SET)) 
(IS (INTERSECTION S3 S2) 
(SUBSET-OF 

(IBTERSECTIOB SI S2))))) 



(IB-COHTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE S3 (SUBSET-OF Si)) 
(LET-BE ISETi 

(IBTERSECTIOB SI S2)) 
(LET-BE ISET2 

(IBTERSECTIOB S3 S2)) 
(PUSH-GOAL (IS ISET2 (SUBSET-OF ISETi)))) 
(IH-COBTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF ISET2))) 
(LET-BE X (MEMBER-OF ISET2))) 
(HOTE-GOAD) 
(BOTE-GOAD) 



(LEMMA 

(FORALL ((SI SET) 

(S2 (SUBSET-OF Si))) 
(= Si 

(UNIOH SI S2)))) 

(LEMMA 

(FORALL ((SI SET) 

(S2 (SUBSET-OF SI))) 
(= S2 

(INTERSECTION Si S2)))) 



(IN-COBTEXT 

((LET-BE SI SET) 
(LET-BE S2 (SUBSET-OF Si))) 
(IB-COBTEXT 

((LET-BE USET 

(UNION Si S2))) 
(BOTE (= SI 

(UHIOB SI S2)))) 
(IB-COBTEXT 

((LET-BE ISET 

(INTERSECTION SI S2))) 
(BOTE (= S2 

(IBTERSECTIOB Si S2))))) 
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(DEFTYPE (DISJOINT-FROH (SI SET)) 
(LAMBDA ((S2 SET)) 

(= (INTERSECTION SI S2) 
THE-EHPTY-SET) ) ) 

(LEHHA (IN-CONTEXT ((LET-BE SI SET) 

(FORALL ((SI SET)) (LET-BE ESET THE-EHPTY-SET)) 

(EXISTS-SOHE (DISJOINT-FROH SI)))) (BOTE (EXISTS-SOME (DISJOINT-FROH SI)))) 

(LEHHA (IN-CONTEXT 

(FORALL ((SI SET) (S2 SET)) ((LET-BE SI SET) 

(IFF (IS SI (DISJOIHT-FROH S2)) (LET-BE S2 SET) 

(IS-EVERY (LET-BE INT (INTERSECTION SI S2)) 

(MEHBER-OF SI) (PUSH-GOAL 

(HOT-MEMBER-OF S2))))) (IFF (IS Si (DISJOIHT-FROH S2)) 

(IS-EVERY (MEHBER-OF SI) 

(HOT-HEMBER-OF S2))))) 
(IN-COHTEXT 

((SUPPOSE (IS-EVERY (MEMBER-OF SI) 

(HOT-HEMBER-OF S2)))) 
(IN-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (HEHBER-OF IHT))) 
(LET-BE X (MEMBER-OF INT))) 
(HOTE-COHTRADICTIOH ) ) 
_ (NOTE-GOAL)) 

fS (IH-CONTEXT 

((SUPPOSE (IS SI (DISJOIHT-FROH S2)))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS-EVERY (MEHBER-OF SI) 

(NOT-MEHBER-OF S2)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF SI))) 
(LET-BE X (MEHBER-OF SI))) 
(NOTE-GOAL)) 
(HOTE-GOAD) 
(NOTE-GOAD) 
(HOTE-GOAD) 
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(DEFTERH (SET-DIFFERENCE (SI SET) (S2 SET)) 
(THE-SET-OF-ALL 

(AHD-TYPE (HEHBER-OF SI) (HOT-MEMBER-OF S2)))) 



(LEMMA 

(FORALL ((SI SET) (S2 SET)) 
(IS (SET-DIFFEREHCE SI S2) 
(SUBSET-OF SI)))) 

(LEMMA (FORALL ((SI SET) (S2 SET)) 
(IS (SET-DIFFEREHCE SI S2) 
(DISJOINT-FROM S2)))) 

(LEMMA (FORALL ((SI SET) (S2 SET)) 
(= (UNIOB 
S2 

(SET-DIFFEREHCE SI S2)) 
(UHIOH SI S2)))) 



/""N 



(IH-COHTEXT 

((LET-BE SI SET) 
(LET-BE S2 SET) 
(LET-BE SD (SET-DIFFEREHCE SI S2))) 

(IH-COHTEXT 

((PUSH-GOAL (IS SD (SUBSET-OF SI)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF SD))) 
(LET-BE X (MEMBER-OF SD))) 
(HOTE-GOAD) 
(HOTE-GOAD) 

(IH-COHTEXT 

( (PUSH-GOAL 

(IS SD (DISJOIHT-FROM S2)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF SD))) 
(LET-BE X (MEMBER-OF SD))) 
(HOTE-GOAD) 
(HOTE-GOAD) 

(IH-COHTEXT 

((LET-BE USETi (UHIOH S2 SD)) 
(LET-BE USET2 (UHIOH SI S2)) 
(PUSH-GOAL (= USETI USET2))) 

(IH-COHTEXT 

( (PUSH-GOAL 

(IS USET2 (SUBSET-OF USETI)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(MEMBER-OF USET2))) 
(LET-BE X (MEMBER-OF USET2))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS X (MEMBER-OF USETI)))) 
(IH-COHTEXT 
((SUPPOSE 

(IS X (MEMBER-OF S2)))) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(NOTE-GOAD) 
(HOTE-GOAD)) 
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(DEFTERH (REMOVE (X THIHG) (S SET)) 
(SET-DIFFEREHCE S (MAKE-SET X))) 



(LEMMA 

(FORALL ((S SET) (X THUG)) 
(= (REMOVE X S) 
(THE-SET-OF-ALL 

(AHD-TYPE (MEMBER-OF S) 

(HOT-EQUAL-TO X)))))) 



/~% 



(IH-COITEXT 

((LET-BE X THUG) 
(LET-BE S SET) 
(LET-BE REM 

(REMOVE X S)) 
(LET-BE S2 (MAKE-SET X)) 
(LET-BE S3 

(THE-SET-OF-ALL 

(AHD-TYPE (MEMBER-OF S) 

(HOT-EQUAL-TO X)))) 
(PUSH-GOAL (= REM S3))) 

(II-COHTEXT 

((PUSH-GOAL (IS REM (SUBSET-OF S3)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF REM))) 
(LET-BE Y (MEMBER-OF REM))) 
(IOTE (IS Y (SOT-EQUAL-TO X))) 
(IOTE-GOAL)) 
(IOTE-GOAL)) 
(II-COITEXT 

((PUSH-GOAL (IS S3 (SUBSET-OF REM)))) 
(II-COITEXT 

((SUPPOSE (EXISTS-SOME (MEMBER-OF S3))) 
(LET-BE Y (MEMBER-OF S3))) 
(BOTE (IS Y (IOT-MEMBER-0F 

(IHSERT I THE-EMPTY-SET)))) 
(IOTE-GOAL) ) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 
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(LEMMA 

(FORALL ((S SET) 

(X THING) 
(Y THING)) 
(= (REMOVE Y (REMOVE X S)) 
(THE-SET-OF-ALL 

(AID-TYPE (MEMBER-OF S) 

(NOT-EQUAL -TO X) 
(NOT-EQUAL-TO Y)))))) 



d^\ 



(IN-CONTEXT 

( (LET-BE X THING) 
(LET-BE Y THING) 
(LET-BE S SET) 
(LET-BE SX (REMOVE X S)) 
(LET-BE SYX (REMOVE Y SX)) 
(LET-BE SYX2 

(THE-SET-OF-ALL 

(AND-TYPE (MEMBER-OF S) 

(NOT-EQUAL-TO X) 
(NOT-EQUAL-TO Y)))) 
(PUSH-GOAL (= SYX SYX2))) 
(IN-CONTEXT 

((PUSH-GOAL (IS SYX (SUBSET-OF SYX2)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF SYX))) 
(LET-BE Z (MEMBER-OF SYX))) 
(NOTE-GOAD) 
(NOTE-GOAL)) 
(IN-CONTEXT 

((PUSH-GOAL (IS SYX2 (SUBSET-OF SYX)))) 
(IN-CONTEXT 

((SUPPOSE ' 
(EXISTS- 
(LET-BE Z 
(NOTE-GOAD) 
(NOTE-GOAL))" 
(NOTE-GOAD) 



-SOME (MEMBER-OF SYX2))) 
(MEMBER-OF SYX2))) 



(LEMMA 

(FORALL ((Y THING) 
(X THING) 
(S SET)) 
(= (REMOVE X (REMOVE Y S)) 
(REMOVE Y (REHOVE X S))))) 



(IN-CONTEXT 

((LET-BE X THING) 
(LET-BE Y THING) 
(LET-BE S SET) 

(LET-BE SXY (REMOVE X (REMOVE Y S))) 
(LET-BE SYX (REMOVE Y (REMOVE IS))) 
(PUSH-GOAL (= SXY SYX))) 
(IN-CONTEXT 

((PUSH-GOAL (IS SXY (SUBSET-OF SYX)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF SXY))) 
(LET-BE Z (MEMBER-OF SXY))) 
(NOTE-GOAD) 
(NOTE+GENERALIZE-GOAL) ) 
(NOTE-GOAD) 
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(DEFTERM (POWER-SET (S SET)) 

(THE-SET-OF-ALL (SUBSET-DF S))) 

(LEMMA (IH-COHTEXT 

(FORALL ((S SET)) ((LET-BE S SET) 

(IS (POWER-SET S) (LET-BE P (POWER-SET S))) 

FAMILY-OF-SETS))) 

(IH-COHTEXT 

(LEMMA ((LET-BE S2 (MEHBER-OF P))) 

(FORALL ((S SET)) (BOTE (IS P FAMILY-OF-SETS))) 

(= S 

(FAMILY -UHIOH (POWER-SET S))))) (IH-COHTEXT 

((LET-BE S2 

(FAMILY-UHIOH (POWER-SET S)))) 
(BOTE (= S (FAMILY-UHIOH (POWER-SET S)))))) 



f~\ 
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A. 2 Pairs, Rules and Structures 



This section contains facts about pairs rules and structures. For any two 
things x and y the pair < x, y > is implemented as the set {x, {x, y}}. A 
rule is a set of pairs. An objects which appears on the right side a pair in a 
rule r is called a domain element of r. The set of all domain elements of r 
is called the rule domain of the rule r (rule domains are different from map 
domains; map domains are discussed below). 

A structure is a rule whose domain is a set of symbols. Ontic structures 
are similar to the "structures" or "records" used in computer programming 
langauges (e.g. structures defined via DEFSTRUCT in Common Lisp). The 
symbols in the domain of a structure rule are somtimes called the "slots" 
of the structure. From a mathematical point of view the most interesting 
structures have a U-SET slot which contains the "domain" or "underlying 
set" of the structure. A structure with a U-SET slot that contains a set is 
called a set structure. Many different kinds of mathematical objects can be 
modeled as set structures; partial orders, algebras, topologies, graphs, and 
differentiable manifolds can all be implemented as set structures. 
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(DEFTERH (MAKE-PAIR (X THING) (Y THING)) 
(MAKE-SET (MAKE-SET X Y) (HAKE-SET X))) 



(LEMMA 

(FORALL ((X THING) (Y THING)) 
(= (FAMILY-UNION (MAKE-PAIR X 
(MAKE-SET X Y)))) 

(LEMMA 

(FORALL ((Y THING) (X THING)) 
(= (FAMILY-INTERSECTION 
(MAKE-PAIR X Y)) 
(MAKE-SET X)))) 



(IH-CONTEXT 

((LET-BE X THING) 
Y)) (LET-BE Y THING) 

(LET-BE SX (MAKE-SET X)) 
(LET-BE SXY (MAKE-SET X Y) ) 
(LET-BE SPAIR (MAKE-PAIR X Y))) 
(NOTE (IS (FAMILY-UNION SPAIR) SXY)) 
(NOTE (IS (FAMILY-INTERSECTION SPAIR) SX))) 



(DEFTYPE PAIR 

(WRITABLE-AS (MAKE-PAIR X Y) 
(X THING) 
(Y THING))) 

(DEFTERM (LEFT (P PAIR)) 

(THE (MEMBER-OF (FAMILY-INTERSECTION P)))) 



/**"*\ 



(LEMMA 

(FORALL ((X THING) (Y THING)) 
(= X 

(LEFT (MAKE-PAIR X Y))))) 



(IN-CONTEXT 

((LET-BE X THING) 
(LET-BE Y THING) 
(LET-BE P (MAKE-PAIR X Y)) 
(LET-BE SX (FAMILY-INTERSECTION P))) 
(NOTE (= X (LEFT P) ) ) ) 



(DEFTERM (RIGHT (P PAIR)) 
(IF (SINGLETON-SET P) 
(LEFT P) 
(THE (OTHER-MEMBER 

(FAMILY-UNION P) 
(LEFT P))))) 



(LEMMA 

(FORALL ((X THING) (Y THING)) 
(= Y 

(RIGHT (MAKE-PAIR X Y) ) ) ) ) 



(IN-CONTEXT 

((LET-BE X THING) 
(LET-BE Y THING) 
(LET-BE P (MAKE-PAIR X Y) ) 
(PUSH-GOAL (= Y (RIGHT P) ) ) 



(MAKE-SET X)) 
(MAKE-SET X Y))) 



(LET-BE MX 
(LET-BE MY 
(IN-CONTEXT 

((SUPPOSE (= X Y))) 
(NOTE-GOAD) 
(IN-CONTEXT 

((SUPPOSE (NOT (= X Y)))) 
(NOTE (NOT (= MX MY))) 
(NOTE-GOAD) 
(NOTE-GOAD) 



For efficiency the type RULE, the operators THE-RULE and THE-FUMCTION 
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and the type generators DOMAIN-TYPE, and the type generator RULE-BETWEEN 
are all implemented primitively. If / is a syntactically small function expres- 
sion of one argument then the term (THE-RULE /) denotes a set theoretic 
object, such as a set of pairs, that corrosponds to the function /. Instances of 
the the type RULE are objects which can be written as (THE-RULE /) where is 
a syntactically small function expression of one argument. If R denotes a rule 
then the type (DOMAIN-TYPE R) is the type corrosponding to the domain of 
the rule (function) / and (THE-FUNCTION R) is the function corrosponding 
to R. If SI and S2 denote sets then instances the type (RULE-BETWEEN SI 
S2) are rules that give mappings from SI into S2. 

(DEFTYPE (DOMAIN-TYPE (R RULE)) 
(MEMBER-OF (RULE-DOMAIN R))) 



O, 



(LEMMA 

(FORALL ((SI NON-EMPTY-SET) 
(S2 NON-EMPTY-SET) ) 
(EXISTS-SOHE 

(RULE-BETWEEN SI S2)))) 



(IN-CONTEXT 

((LET-BE SI NON-EMPTY-SET) 
(LET-BE S2 NOH-EMPTY-SET) 
(LET-BE Y (HEHBER-OF S2)) 
(LET-BE R 

(THE-RULE ((X (MEMBER-OF SI))) Y))) 
(NOTE 
(EXISTS-SOHE (RULE-BETWEEN SI S2)))) 



(DEFTERM (RESTRICT-RULE (R RULE) 

(S (SUBSET-OF 

(RULE-DOHAIN R)))) 
(THE-RULE ((X (HEBBER-OF S))) 
(APPLY-RULE R X))) 



(DEFTERH (RESTRICT-RELATION (R RELATION) 

(S (SUBSET-OF 

(RULE-DOMAIN R)))) 
(THE-RULE ((X (MEMBER-OF S))) 

(INTERSECTION S (APPLY-RULE R X)))) 



/^ m \ 
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(DEFTYPE (IIOECTIVE-RULE-BETWEEH (SI SET) (S2 SET)) 
(LAMBDA ((R (RULE-BETWEEN SI S2))) 
(FORALL ((Y (MEHBER-OF SI))) 

(EXACTLY-OHE (X (MEMBER-OF (RULE-DOHAIH R) ) ) 
(= (APPLY-RULE R X) (APPLY-RULE R Y)))))) 

(DEFTYPE IHJECTIVE-RULE 
(WRITABLE-AS R 

(R (IHJECTIVE-RULE-BETVEEU Si S2)) 
(SI SET) 
(S2 SET))) 

(DEFTERH (RULE-RAHGE (R RULE)) 
(THE-SET-OF-ALL 

(WRITABLE-AS (APPLY-RULE R X) 

(X (HEMBER-OF (RULE-DOMAIH R) ) ) ) ) ) 



f"\ 
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The type SYMBOL and the macro QUOTE are implemented primitively. All 
atomic quotations are symbols. A structure is a rule whose domain is a set 
of symbols. 



(DEFTYPE STRUCTURE 
(LAMBDA ((R RULE)) 
(AND (EXISTS-SOME 

(HEMEER-DF (RULE-DOMAIN R))) 
(IS-EVERY (HEMBER-OF (RULE-DOHAIH R)) 
SYMBOL) ) ) ) 

(DEFTYPE (SIGNATURE-SYMBOL (W STRUCTURE)) 
(MEMBER-OF (RULE-DOMAIN W) ) ) 

(DEFTERM (STRUCTURE-COMPONENT 
(STRUCT STRUCTURE) 
(SYM (SIGNATURE-SYMBOL STRUCT))) 
(APPLY- RULE STRUCT SYM)) 

(DEFTERM (ASSIGN (ARG THING) (VALUE THING) (OLD-RULE RULE)) 
(THE-RULE ((X (OR-TYPE 

(EQUAL-TO ARG) 

(MEMBER-OF (RULE-DOHAIN OLD-RULE))))) 
(IF (= X ARG) 
VALUE 
(APPLY-RULE OLD-RULE X)))) 



•""N. 



(LEMMA 

(FORALL ((S SYMBOL) 
(VAL THING) 
(W STRUCTURE)) 
(IS (ASSIGN S VAL V) 
STRUCTURE) ) ) 



(IN-CONTEXT 

((LET-BE W STRUCTURE) 
(LET-BE S SYMBOL) 
(LET-BE VAL THING) 
(LET -BE W2 (ASSIGN S VAL W) ) 
(PUSH-GOAL (IS W2 STRUCTURE))) 
(IH-CONTEXT 

((LET-BE SYM 

(MEMBER-OF (RULE -DOMAIN W2)))) 
(IN-CONTEXT 

((PUSH-GOAL (IS SYM SYMBOL))) 
(IN-CONTEXT ((SUPPOSE (= SYM S))) 

(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAL))) 



(DEFTERM (BASE-STRUCTURE (S SYMBOL) (X THING)) 
(THE-RULE ((Z (EQUAL-TO S))) X)) 



(LEMMA 

(FORALL ((S SYMBOL) 
(X THING)) 
(IS (BASE-STRUCTURE S 
STRUCTURE) ) ) 



X) 



(IN-CONTEXT 

((LET-BE S SYMBOL) 
(LET-BE X THING) 
(LET-BE W (BASE-STRUCTURE S X)) 
(PUSH-GOAL (IS V STRUCTURE))) 
(NOTE (IS V STRUCTURE))) 
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(DEFTERM (MAKE-SET-STRUCTURE (S NON-EMPTY-SET) ) 
(BASE-STRUCTURE 'U-SET S)) 

(DEFTERM (U-SET (W STRUCTURE)) 

(STRUCTURE-COMPONENT ¥ 'U-SET)) 

(DEFTYPE SET-STRUCTURE 
(LAMBDA ((S STRUCTURE)) 

(AND (IS 'U-SET (SIGNATURE-SYMBOL S)) 
(IS (U-SET S) NON-EMPTY-SET)))) 



(LEMMA 

(FORALL ((S NON-EMPTY-SET)) 
(IS (MAKE-SET-STRUCTURE S) 
SET-STRUCTURE) ) ) 

(LEMMA 

(FORALL ((S NON-EMPTY-SET)) 

(= (U-SET (MAKE-SET-STRUCTURE S)) 
S))) 



(IN-COBTEXT 

((LET-BE S NON-EMPTY-SET) 
(LET-BE M (MAKE-SET-STRUCTURE S)) 
(LET-BE SYM 'U-SET)) 
(NOTE (IS M SET-STRUCTURE)) 
(NOTE (= (U-SET M) S))) 



(DEFTYPE (IS-U-SET (H SET-STRUCTURE)) 
(MEMBER-OF (U-SET H) ) ) 
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(LEMMA 

(FORALL ((W SET-STRUCTURE)) 
(EXISTS-SOME (IN-U-SET W)))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 
(X (IN-U-SET H))) 
(IS X THING))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 
(X (IN-U-SET W))) 
(IS (MAKE-SET X) 

(NON-EHPTY-SUBSET-OF 
(U-SET W))))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 
(X (IN-U-SET W)) 
(Y (IN-U-SET H))) 
(IS (MAKE-SET X Y) 

(SUBSET-OF (U-SET W))))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 
(X (IN-U-SET H)) 
(S2 (SUBSET-OF (U-SET »)))) 
(IS (INSERT X S2) 

(SUBSET-OF (U-SET W))))) 



(IN-CONTEXT ((LET-BE W SET-STRUCTURE) 
(LET-BE S (U-SET W))) 
(NOTE (EXISTS-SOME (IN-U-SET W))) 
(IN-CONTEXT ((LET-BEX (IN-U-SET V))) 
(NOTE (IS X THING)) 
(IN-CONTEXT ((LET-BE SX (MAKE-SET X))) 

(NOTE (IS SX (NON-EMPTY-SUBSET-OF S)))) 
(IN-CONTEXT ((LET-BE Y (IN-U-SET H)) 

(LET-BE SXY (MAKE-SET ST))) 
(NOTE (IS SXY (SUBSET-OF S)))) 
(IN-CONTEXT ((LET-BE S2 (SUBSET-OF S)) 

(LET-BE SX2 (INSERT X S2))) 
(NOTE (IS SX2 (SUBSET-OF S)))))) 
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(LEMMA 

(FORALL ((V SET-STRUCTURE) 

(S2 (SUBSET-OF (U-SET V)))) 
(IS S2 SET))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 

(S2 (SUBSET-OF (U-SET ¥)))) 
(IS-EVERY (MEMBER-OF S2) 
(IH-U-SET W)))) 

(LEMMA 

(FORALL ((H SET-STRUCTURE) 

(S2 (SUBSET-OF (U-SET W)))) 
(=> (EXISTS-SOME (HEMBER-OF S2)) 
(IS S2 

(HOJ-EMPTY-SUBSET-QF 
(U-SET W)))))) 



(IH-COITEXT 

((LET-BE V SET-STRUCTURE) 
(LET-BE S (U-SET W)) 
(LET-BE S2 (SUBSET-OF (U-SET W)))) 
(BOTE (IS S2 SET)) 
(HOTE (IS-EVERY (MEMBER-OF S2) 
(IH-U-SET V))) 
(IH-COHTEXT 
( (SUPPOSE 

(EXISTS-SOME (MEMBER-OF S2)))) 
(HOTE (IS S2 (HOH-EMPTY-SUBSET-OF S))))) 
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A. 3 Maps 



The terminology used in the proof of Stone's theorem makes a distinction 
between rules and maps; a rule is a just a set of pairs while a map consists 
of a domain set structure, a range set structure, and a rule between the 
underlying sets of the domain and range structures. The significance of the 
distinction between rules and maps can be seen in the following formula: 



(IS (DOMAIN F) LATTICE) 



If F denoted a rule (a set of pairs) there would be no well defined domain 
structure for F, at best the domain of F would be an unstructured set. On 
the other hand maps, as opposed to rules, have specified domain and range 
structures and it is possible that the domain of F is in fact a lattice. 

Category theory generalizes the notion of a map to the notion of a "mor- 
phism" . A morphism is like a map in that it has a domain and a range but 
the domain and range of a morphism need not be set structures. In anticipa- 
tion of category theory we define a "mapoid" to be a structure with domain 
and range slots. A map is a mapoid in which the domain and range slots are 
filled with set structures and where the rule slot is filled with a rule between 
the underlying sets of the domain and range. 

(DEFTYPE MAPOID 

(LAMBDA ((tf STRUCTURE)) 

(AND (IS 'DOMAIN (SIGNATURE-SYMBOL W)) 

(IS "RANGE (SIGNATURE-SYMBOL W))))) 

(DEFTERM (MAKE-MAPOID (D THING) (R THING) (H STRUCTURE)) 
(ASSIGN 'DOMAIN D 

(ASSIGN 'RANGE R W))) 

(DEFTERM (DOMAIN (W STRUCTURE)) 
(STRUCTURE-COMPONENT H 'DOMAIN)) 

(DEFTERM (RANGE (W STRUCTURE)) 
(STRUCTURE-COMPONENT W 'RANGE)) 
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(LEMMA 

(FORALL ((D THING) 
(R THIHG) 
(W STRUCTURE)) 
(IS (MAKE-MAPOID DRW) 
KAPOID))) 

(LEHHA 

(FORALL ((D THING) 
(R THING) 
(W STRUCTURE)) 
(= D 

(DOMAIN 

(MAKE-MAPOID D R W))))) 

(LEHHA 

(FORALL ((D THING) 
(R THING) 
(W STRUCTURE)) 
(= R 

(RANGE 

(MAKE-MAPOID D R H))))) 



(IN-CONTEXT 

((LET-BE D THING) 

(LET-BE R THING) 

(LET-BE H STRUCTURE) 

(LET-BE H (MAKE-MAPOID DID) 

(LET-BE W2 (ASSIGN 'RANGE R W)) 

(LET-BE SYHi 'DOMAIN) 

(LET-BE SYM2 'RANGE)) 
(NOTE (IS M MAPOID)) 
(NOTE (= D (DOMAIN M))) 
(NOTE (= R (RANGE M)))) 



(DEFTERH (MAKE-MAP (G SET-STRUCTURE) 
(H SET-STRUCTURE) 



(R 
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(RULE-BETWEEN 
(U-SET G) 
(U-SET H)))) 



(MAKE-MAPOID 
G 
H 

(BASE-STRUCTURE 



RULE R))) 



(DEFTYPE (MAP-BETWEEN (G SET-STRUCTURE) 
(H SET-STRUCTURE)) 
(WRITABLE-AS (HAKE-MAP G H R) 
(R (RULE-BETWEEN (U-SET G) 

(U-SET H))))) 
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(LEMMA 

(FORALL ((G SET-STRUCTURE) 
(H SET-STRUCTURE)) 
(EXISTS-SOME 

(RULE-BETWEEN (U-SET G) 

(U-SET H))))) 

(LEMMA 

(FORALL ((G SET-STRUCTURE) 
(H SET-STRUCTURE) 
(R (RULE-BETWEEN (U-SET G) 

(U-SET H)))) 
(IS R RULE))) 

(LEMMA 

(FORALL ((H SET-STRUCTURE) 
(G SET-STRUCTURE) 
(R (RULE-BETWEEN (U-SET G) 

(U-SET E)))) 
(= (RULE-DOMAIN R) 
(U-SET G)))) 

(LEMMA 
(FORALL 

((G SET-STRUCTURE) 
(H SET-STRUCTURE) 
(R (RULE-BETWEEN (U-SET G) 

(U-SET H))) 
(X (MEMBER-OF (RULE-DOMAIN R)))) 
(IS (APPLY-MAP R X) 

(MEMBER-OF (U-SET H))))) 



(IN-CONTEXT 

((LET-BE G SET-STRUCTURE) 
(LET-BE H SET-STRUCTURE)) 
(IN-CONTEXT 

((LET-BE SI (U-SET G)) 
(LET-BE S2 (U-SET H))) 
(NOTE 

(EXISTS-SOHE (RULE-BETWEEN SI S2))) 
(IN-CONTEXT 

((LET-BE R (RULE-BETWEEN SI S2))) 
(NOTE (IS R RULE)) 

(NOTE (= (RULE-DOMAIN R) (U-SET G))) 
(NOTE 

(FORALL ((X (MEMBER-OF 

(RULE-DOMAIN R)))) 
(IS (APPLY-RULE R X) 

(MEMBER-OF (U-SET H)))))))) 



(DEFTYPE (MAP-ON (G SET-STRUCTURE)) 
(WRITABLE-AS F 

(F (MAP-BETWEEN G H)) 
(H SET-STRUCTURE))) 

(DEFTYPE (MAP-INTO (H SET-STRUCTURE)) 
(WRITABLE-AS F 

(F (MAP-BETWEEN G H)) 
(G SET-STRUCTURE))) 

(DEFTYPE MAP 

(WRITABLE-AS (MAP-BETWEEN G H) 
(G SET-STRUCTURE) 
(H SET-STRUCTURE))) 

(DEFTERM (MAP-RULE (M MAP)) 

(STRUCTURE-COMPONENT M 'RULE)) 
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(LEMMA 

(FORALL ((H SET-STRUCTURE) 
(G SET-STRUCTURE) 
(R (RULE-BETWEEN 
(U-SET G) 
(U-SET H)))) 
(= (DOMAIN (MAKE-MAP SIR)) 
G))) 

(LEMMA 

(FORALL ((G SET-STRUCTURE) 

(H SET-STRUCTURE) 

(R (RULE-BETWEEN (U-SET G) 

(U-SET H)))) 

(= (RANGE (MAKE-MAP SIB)) 
H))) 

(LEMMA 

(FORALL ((G SET-STRUCTURE) 
(H SET-STRUCTURE) 
(R (RULE-BETWEEN 
(U-SET G) 
(U-SET H)))) 
(= (MAP-RULE (MAKE-MAP G H R)) 
R))) 



(IN-CONTEXT 

((LET-BE G SET-STRUCTURE) 
(LET-BE H SET-STRUCTURE) 
(LET-BE R (RULE-BETWEEN 
(U-SET G) 
(U-SET H))) 
(LET-BE M (MAKE-MAP G H R)) 
(LET-BE B (BASE-STRUCTURE 
'RULE 
R)) 
(LET-BE W (ASSIGN 'RANGE H B)) 
(LET-BE SYM1 'DOMAIN) 
(LET-BE SYM2 'RANGE) 
(LET-BE SYM3 'RULE)) 
(NOTE (= (DOMAIN M) G)) 
(NOTE (= (RANGE M) H)) 
(NOTE (= (MAP-RULE M) R) ) ) 
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(LEMMA 

(FORALL ((H SET-STRUCTURE) 
(G SET-STRUCTURE) 
(M (MAP-BETWEEN G H))) 
(= G (DOHAIN H)))) 

(LEMMA 

(FORALL ((G SET-STRUCTURE) 
(H SET-STRUCTURE) 
(M (MAP-BETWEEN SI))) 
(= H (RANGE M)))) 



(IN-CONTEXT 

((LET-BE G SET-STRUCTURE) 
(LET-BE H SET-STRUCTURE) 
(LET-BE M (MAP-BETWEEN G H)) 
(WRITE-AS M (HAKE-MAP G H R) 
(R (RULE-BETWEEN 
(U-SET G) 
(U-SET H))))) 
(NOTE (« (DOMAIN M) G)) 
(NOTE (= (RANGE M) H))) 



(DEFTERM (APPLY-MAP (F MAP) 

(X (IN-U-SET (DOMAIN F)))) 
(APPLY-RULE (MAP-RULE F) X)) 



f*S 



f*\ 



A.3. MAPS 



265 



(LEMHA 

(FORALL ((B HAP)) 
(IS (DOMAIH M) 

SET-STRUCTURE))) 

(LEMMA 

(FORALL ((M HAP)) 

(= (RULE-DOMAIH (MAP-RULE M)) 
(U-SET (DOMAIH M))))) 

(LEMMA 

(FORALL ((M HAP)) 

(IS (RAHGE H) SET-STRUCTURE))) 

(LEMHA 

(FORALL ( (H HAP) ) 
(IS (MAP-RULE H) 
(RULE-BETWEEH 

(U-SET (DOMAIH M)) 
(U-SET (RAHGE M)))))) 

(LEMMA 

(FORALL ((M HAP) 

(X (IN-U-SET (DOMAIH H)))) 
(IS (APPLY-MAP M X) 

(IH-U-SET (RAHGE M))))) 



(IH-COHTEXT 

( (LET-BE H MAP) 
(WRITE-AS H (MAP-BETWEEH G H) 
(G SET-STRUCTURE) 
(H SET-STRUCTURE)) 
(WRITE-AS M (MAKE-MAP SIR) 
(R (RULE-BETWEEH (U-SET G) 

(U-SET H)))) 
(LET-BE X (IH-U-SET (DOMAIH H)))) 
(BOTE (IS (DOMAIH M) SET-STRUCTURE)) 
(BOTE (= (RULE-DOMAIH (MAP-RULE M)) 

(U-SET (DOMAIH M)))) 
(BOTE (IS (RAHGE M) SET-STRUCTURE)) 
(BOTE (IS (MAP-RULE M) 
(RULE-BETWEEH 

(U-SET (DOMAIH M) ) 
(U-SET (RAHGE H))))) 
(HOTE (IS (APPLY-HAP M X) 

(IH-U-SET (RANGE M))))) 
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(DEFTYPE (IH-MAP-DOMAIH (F MAP)) 
(IB-U-SET (DOMAIH F))) 

(DEFTYPE (IH-MAP-RANGE (F MAP)) 
(IH-U-SET (RAHGE F))) 
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(LEMMA 

(FORALL ((K MAP)) 

(IS (U-SET (DOMAIIT B)) 
SET))) 

(LEHMA 

(FORALL ((M MAP)) 

(= (IH-U-SET (DOMAIN M) ) 
(MEMBER-OF 

(U-SET (DOMAIH M)))))) 

(LEMMA 

(FORALL ((H MAP)) 
(EXISTS-SOME 
(MEMBER-OF 

(U-SET (DOMAIN M)))))) 

(LEMMA 

(FORALL ((M MAP)) 

(IS (U-SET (RAHGE M) ) 
SET))) 

(LEMMA 
(FORALL ((M MAP)) 

(= (IH-U-SET (RAHGE M)) 
(MEMBER-OF 

(U-SET (RAHGE M)))))) 

(LEMMA 

(FORALL ((M MAP)) 
(EXISTS-SOME 
(MEMBER-OF 

(U-SET (RAHGE M)))))) 



(IH-COHTEXT 

((LET-BE M MAP)) 
(IH-CONTEXT 

((LET-BE G (DOMAIH M)) 
(LET -BE S (U-SET G))) 
(BOTE (IS S SET)) 
(HOTE (= (IH-U-SET G) 

(MEMBER-OF S))) 
(HOTE 

(EXISTS-SOME (MEMBER-OF S)))) 
(IN-COHTEXT 

((LET-BE G (RAHGE M)) 
(LET-BE S (U-SET G))) 
(HOTE (IS S SET)) 
(HOTE (= (IH-U-SET G) 

(MEMBER-OF S))) 
(HOTE 

(EXISTS-SOME (MEMBER-OF S))))) 



(LEMMA 

(FORALL ((M MAP)) 

(IS (MAP-RULE M) RULE))) 



(IH-COHTEXT 

((LET-BE M MAP) 
(LET-BE R (MAP-RULE M)) 
(LET-BE SI (U-SET (DOMAIH M))) 
(LET-BE S2 (U-SET (RAHGE M)))) 
(HOTE (IS R RULE))) 



(DEFTERM (APPLY-MAP-TO-SET 
(F MAP) 

(S (SUBSET-OF (U-SET (DOMAIH F))))) 
(THE-SET-OF-ALL 

(WRITABLE-AS (APPLY-MAP F X) 
(X (HEHBER-OF S))))) 
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(LEMMA 

(FORALL ((H MAP) 

(S (SUBSET-OF 

(U-SET (DOMAIN M))))) 
(IS (APPLY-MAP-TO-SET H S) 
(SUBSET-OF 

(U-SET (RANGE H)))))) 



(IN-CONTEXT 

( (LET-BE M MAP) 
(LET-BE DSET (U-SET (DOMAIN M))) 
(LET-BE RSET (U-SET (RAHGE M))) 
(LET-BE S (SUBSET-OF DSET)) 
(LET-BE S2 (APPLY-MAP-TO-SET M S)) 
(PUSH-GOAL 

(IS S2 (SUBSET-OF RSET)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (HEHBER-OF S2))) 
(LET-BE X (MEMBER-OF S2)) 
(WRITE-AS X (APPLY-MAP M Y) 
(Y (MEKBER-OF S)))) 
(NOTE-GOAL)) 
(NOTE-GOAD) 



(DEFTERM (IMAGE (F MAP)) 

(APPLY-MAP-TO-SET F (U-SET (DOMAIN F)))) 
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(LEMMA 

(FORALL ((M MAP)) 
(= (IMAGE M) 

(THE-SET-OF-ALL 

(WRITABLE-AS (APPLY-MAP M X) 
(X (IN-U-SET 

(DOMAIN M)))))))) 

(LEMMA 

(FORALL ((M MAP)) 
(EXISTS-SOME 

(MEMBER-OF (IMAGE M))))) 

(LEMMA 

(FORALL ((M MAP)) 
(IS (IMAGE M) 

(NON-EMPTY-SUBSET-OF 
(U-SET (RANGE M)))))) 



(IN-CONTEXT 

((LET-BE M HAP) 
(LET-BE S (U-SET (DOMAIN M))) 
(LET-BE S2 (IMAGE M))) 
(NOTE 

(= (IMAGE M) 

(THE-SET-OF-ALL 

(WRITABLE-AS (APPLY-MAP M X) 
(X (IN-U-SET 

(DOMAIN H))))))) 
(IN-CONTEXT 

((LET-BE S3 (U-SET (RANGE H))) 
(LET-BE X (IN-U-SET (DOMAIN M) ) ) ) 
(NOTE 

(EXISTS-SOME (MEMBER-OF (IMAGE M)))) 
(NOTE 

(IS S2 (NON-EMPTY-SUBSET-OF S3))))) 



(DEFTERM (PREIMAGE (F MAP) 

(S (SUBSET-OF 

(U-SET (RANGE F))))) 
(THE-SET-OF-ALL (X (MEMBER-OF 

(U-SET (DOMAIN F)))) 
(IS (APPLY-MAP F X) (MEMBER-OF S)))) 
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(LEMMA 

(FORALL ((F HAP) 

(S (NON-EMPTY-SUBSET-OF 
(IMAGE F)))) 
(IS S 

(SUBSET-OF 

(U-SET (RANGE F)))))) 

(LEMMA 

(FORALL ((F HAP) 

(S (NON-EMPTY-SUBSET-OF 
(IMAGE F)))) 

(EXISTS-SOME (MEMBER-OF S)))) 



(IN-CONTEXT 

((LET-BE F MAP) 
(LET-BE ISET (IMAGE F)) 
(LET-BE S (NON-EMPTY-SUBSET-OF 

(IMAGE F))) 
(LET-BE RSET (U-SET (RANGE F)))) 
(NOTE (IS S (SUBSET-OF RSET))) 
(NOTE (EXISTS-SOME (MEMBER-OF S)))) 



/"" \ 



(LEMMA 

(FORALL ((F MAP) 

(Y (MEHBER-OF (IMAGE F)))) 
(EXISTS-SOME 
(MEMBER- OF 

(PREIMAGE F (MAKE-SET Y)))))) 

(LEMMA 

(FORALL ((F HAP) 

(Y (MEMBER-OF (IMAGE F)))) 
(= (PREIMAGE F (MAKE-SET Y)) 
(THE-SET-OF-ALL 

(X (IN-U-SET (DOMAIN F))) 
(= (APPLY-MAP F X) Y))))) 



(IN-CONTEXT 

((LET-BE F HAP) 
(LET-BE ISET (IMAGE F)) 
(LET-BE Y (MEMBER-OF ISET)) 
(LET-BE SY (HAKE-SET Y)) 
(LET-BE PRE-Y1 (PREIMAGE F SY)) 
(LET-BE PRE-Y2 

(THE-SET-OF-ALL (X (IN-U-SET 

(DOMAIN F))) 
(= (APPLY-MAP F X) Y)))) 
(IN-CONTEXT 

((WRITE-AS Y (APPLY-MAP F X) 
(X (IN-U-SET (DOMAIN F))))) 
(NOTE 

(EXISTS-SOME (MEMBER-OF PRE-Y1)))) 
(IN-CONTEXT 

((PUSH-GOAL (= PRE-Y1 PRE-Y2))) 
(IN-CONTEXT 

((LET-BE X (MEHBER-OF PRE-YD) 
(LET-BE FX (APPLY-MAP F X))) 
(NOTE (IS PRE-Y1 (SUBSET-OF PRE-Y2))) 
(NOTE 

(EXISTS-SOME (MEMBER-OF PRE- Y2)))) 
(IN-CONTEXT 

((LET-BE X (MEMBER-OF PRE-Y2))) 
(NOTE-GOAL)))) 



(DEFTYPE INJECTION 
(LAMBDA ((F HAP)) 
(IS (MAP-RULE F) 

INJECTIVE-RULE) ) ) 



/"""\ 
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(LEMMA 

(FORALL ((M MAP)) 

(=> (FORALL ((X (HEMBER-OF 

(IHAGE M)))) 
(IS (PREIMAGE H (HAKE-SET X)) 
SIHGLETON-SET)) 
(IS M IHJECTIOH)))) 



(IH-COHTEXT 

((LET-BE M MAP) 
(SUPPOSE 

(FORALL ((Y (MEMBER-OF (IMAGE M)))) 
(IS (PREIMAGE M (MAKE-SET Y)) 
SIHGLETOH-SET))) 
(PUSH-GOAL (IS M IHJECTIOH))) 
(IH-COHTEXT 

((LET-BE R (MAP-RULE M)) 
(LET -BE SI (U-SET (DOMAIH M))) 
(LET-BE S2 (U-SET (RAHGE M))) 
(LET-BE X (IH-U-SET (DOMAIH M))) 
(LET-BE MX (APPLY-MAP MX))) 
(IH-COHTEXT 

((LET-BE PRE-MX 

(PREIMAGE M (MAKE-SET MX) ) ) ) 
(HOTE (EXACTLY-OHE (MEMBER-OF PRE-MX)))) 
(IH-COHTEXT 

((LET-BE X2 (IH-U-SET (DOMAIH M)) 
(= (APPLY-RULE R X2) 
(APPLY-MAP MX))) 
(LET-BE X3 (IH-U-SET (DOMAIH M) ) 
(= (APPLY-RULE R X3) 
(APPLY-MAP H X) ) ) ) 
(HOTE-GOAL)))) 



/^"N 



(DEFTYPE (IHJECTIOH-BETWEEH (G SET-STRUCTURE) 

(H SET-STRUCTURE)) 
(AHD-TYPE (MAP-BETWEEH G H) 
IHJECTIOH)) 

(DEFTYPE SURJECTIOH 
(LAMBDA ((F MAP)) 
(= (IMAGE F) 

(U-SET (RAHGE F))))) 

(DEFTYPE (SURJECTIOH-BETWEEN (G SET-STRUCTURE) 

(H SET-STRUCTURE)) 
(AHD-TYPE (MAP-BETWEEH G H) 
SURJECTIOH)) 

(DEFTYPE BIJECTIOH 
(AND-TYPE SURJECTIOH 
IHJECTIOH)) 

(DEFTYPE (BIJECTIOH-BETWEEH (G SET-STRUCTURE) 

(H SET-STRUCTURE)) 
(AHD-TYPE (MAP-BETWEEH G H) 
BIJECTIOH)) 

(DEFTERM (IDEHTITY-MAP (W SET-STRUCTURE)) 
(MAKE-MAP 
W 
W 

(THE-RULE ((X (IN-U-SET W))) 
X))) 



/""^ 
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(LEHM4 

(FORAIX ((W SET-STRUCTURE)) 
(IS (IDENTITY-MAP W) 

(HAP-BETWEEN V W) ) ) ) 

(LEMHA 

(FORALL ((W SET-STRUCTURE) 

(X (HEHBER-DF (U-SETW)))) 
(= (APPLY-MAP (IDENTITY-MAP H) X) 
X))) 



(IN-CONTEXT ( (LET-BE W SET-STRUCTURE) 
(LET-BE R 

(THE-RULE ((X (IN-U-SET W))) 
X)) 
(LET-BE S (U-SET W)) 
(LET-BE X (HEMBER-OF S)) 
(LET-BE I (IDENTITY-HAP W))) 
(NOTE (IS I (HAP-BETWEEN V W))) 
(NOTE (= (APPLY-HAP IX) X))) 



(LEHHA 

(FORALL ((W SET-STRUCTURE)) 

(IS (IDENTITY-HAP W) BIJECTION))) 



/O 



(IN-CONTEXT 

((LET-BE W SET-STRUCTURE) 
(LET-BE I (IDENTITY-HAP W)) 
(PUSH-GOAL (IS I BIJECTION))) 

(IN-CONTEXT 

((PUSH-GOAL (IS I SURJECTIDN))) 
(IN-CONTEXT 

((LET-BE ISET1 (IMAGE I)) 
(LET-BE ISET2 (U-SET W)) 
(PUSH-GOAL (= ISET1 ISET2))) 
(IN-CONTEXT 

((LET-BE X (HEMBER-OF ISET2))) 
(NOTE-GOAL))) 
(NOTE-GOAD) 

(IN-CONTEXT 

((PUSH-GOAL (IS I INJECTION)) 
(LET-BE X (IN-U-SET (RANGE I))) 
(LET-BE PRE-X 

(PREIHAGE I (HAKE-SET X))) 
(LET-BE PREX1 (HEHBER-OF PRE-X)) 
(LET-BE PREX2 (HEHBER-OF PRE-X))) 
(NOTE (EXACTLY-ONE 

(MEMBER-OF PRE-X))) 
(NOTE-GOAD) 

(NOTE-GOAD) 



(LEHHA (EXISTS-SOME INJECTION)) 



(IN-CONTEXT ((LET-BE M BIJECTION)) 
(NOTE (EXISTS-SOHE INJECTION))) 
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(LEMMA 
(FOMLL 



((M INJECTION) 
(Y (MEMBER-OF (IMAGE M)))) 
(EXACTLY-OHE (X (IH-U-SET 

(DOMAIH M))) 
(= (APPLY-MAP M X) 
Y)))) 



(IH-COHTEXT 

( (LET-BE H IHJECTIOH) 
(LET-BE Y (HEMBER-OF (IMAGE M))) 
(PUSH-GDAL 

(EXACTLY-OHE (X (IH-U-SET (DOMAIN M))) 
(= (APPLY-MAP H X) 
Y)))) 
(IH-COHTEXT 

((LET-BE R (HAP-RULE H)) 
(WRITE-AS R (IHJECTIVE-RULE-BETWEEN DSET S3) 
(DSET SET) 
(S3 SET))) 
(IN-COBTEXT 

((WRITE-AS Y (APPLY-MAP M X) 
(X (IH-U-SET (DOMAIH M))))) 
(BOTE (EXISTS (S2 (IH-U-SET (DOMAIH M))) 
(= (APPLY-MAP M S2) 
Y)))) 
(IN-COHTEXT 

((LET-BE XI (IH-U-SET (DOMAIN M)) 
(= (APPLY-MAP M XI) Y)) 
(LET-BE X2 (IH-U-SET (DOMAIH M)) 
(= (APPLY-MAP M X2) Y))) 
(NOTE-GOAL)))) 



O 



(DEFTYPE (STRUCTURE-COHTAIHING (S SET)) 
(LAMBDA ((W SET-STRUCTURE)) 

(IS S (SUBSET-OF (U-SET W))))) 



(LEMMA 

(FORALL ((S HON- EMPTY-SET)) 
(IS (MAKE-SET-STRUCTURE S) 

(STRUCTURE-COHTAIHIHG S)))) 



(IH-COHTEXT 

((LET-BE S HON-EMPTY-SET) 
(LET-BE W (MAKE-SET-STRUCTURE S))) 
(NOTE (IS W (STRUCTURE-COHTAIHIHG S)))) 



(DEFTERM (SET! -RANGE 
(F MAP) 

(W (STRUCTURE-COHTAIHIHG (IMAGE F)))) 
(MAKE-KAP (DOMAIN F) W (HAP-RULE F))) 



(LEMMA 

(FORALL ((F MAP)) 
(EXISTS-SOME 

( STRUCTURE-CONTAINING 
(IMAGE F))))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINIHG 
(IMAGE F)))) 
(IS W SET-STRUCTURE))) 



(IH-CONTEXT ((LET-BE F MAP)) 

(IH-COHTEXT ((LET-BE ISET (IMAGE F))) 
(NOTE 

(EXISTS-SOME 

(STRUCTURE-COHTAIHIHG (IMAGE F)))) 
(IN-CONTEXT 

((LET-BE W 

(STRUCTURE-COHTAIHIHG (IMAGE F)))) 
(BOTE (IS W SET-STRUCTURE))))) 



r^. 
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(LEMMA 

(FORALL ((F BAP) 

(W (STRUCTURE-CONTAINING 

(IMAGE F))) 
(X (MEMBER-OF (IMAGE F)))) 
(IS X (IN-U-SET W)))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(IS (MAP-RULE F) 

(RULE-BETWEEN (U-SET (DOMAIN F)) 
(U-SET W))))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(IS (SET! -RANGE F V) 

(MAP-BETWEEN (DOMAIN F) W)))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(IS (SET! -RANGE F W) 
MAP))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(= (DOMAIN (SET! -RANGE F ¥)) 
(DOMAIN F)))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(= (RANGE (SET! -RANGE F W) ) 
V))) 

(LEMMA 

(FORALL ((F HAP) 

(W (STRUCTURE-CONTAINING 
(IMAGE F)))) 
(= (MAP-RULE (SET! -RANGE F ¥)) 
(MAP-RULE F)))) 

(LEMMA 

(FORALL ((F MAP) 

(W (STRUCTURE-CONTAINING 

(IMAGE F))) 
(X (IN-U-SET 
(DOMAIN 

(SET! -RANGE F V))))) 
(= (APPLY-MAP (SET! -RANGE F W) 
X) 
(APPLY-MAP F X)))) 



(IH-CONTEXT 

((LET-BE F MAP) 
((LET-BE W 

( STRUCTURE-CONTAINING 
(IMAGE F))) 
(LET-BE R (MAP-RULE F)))) 
(IN-CONTEXT 

((LET-BE X (MEMBER-OF 

(IMAGE-OF F))) 
(LET-BE SI (U-SET W)) 
(LET-BE S2 (IMAGE F))) 
(NOTE (IS X (IN-U-SET W)))) 
(IN-CONTEXT 

( (PUSH-GOAL 

(IS R (RULE-BETWEEN 

(U-SET (DOMAIN F)) 
(U-SET V)))) 
(LET-BE DSET (U-SET (DOMAIN F))) 
(LET-BE HSET (U-SET «)) 
(LET-BE X (MEMBER-OF DSET)) 
(LET-BE RX (APPLY-RULE R X))) 
(NOTE-GOAD) 
(IN-CONTEXT 

((LET-BE F2 (SET! -RANGE F V))) 
(IN-CONTEXT 

((LET-BE DSTRUCT (DOMAIN F))) 
(NOTE 

(IS F2 (MAP-BETWEEN DSTRUCT W))) 
(NOTE (IS F2 MAP)) 
(NOTE (= (DOMAIN F2) (DOMAIN F))) 
(NOTE (= (RANGE F2) W)) 
(NOTE (= (MAP-RULE F2) 

(MAP-RULE F)))) 
(IN-CONTEXT 

((LET-BE X (IN-U-SET (DOMAIN F2)))) 
(NOTE (= (APPLY-MAP F2 X) 

(APPLY-MAP F X)))))) 
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(LEMMA (IB-CONTEXT 

(FORALL ((F MAP) ((LET -BE F HAP) 

(W (STRUCTURE-CONTAINING (LET-BE W ( STRUCTURE-CONTAIN ING 

(IMAGE F)))) (IMAGE F))) 

(= (IMAGE F) (LET-BE F2 (SET! -RANGE F V)) 

(IMAGE (SET! -RANGE F W))))) (LET-BE ISET (IMAGE F)) 

(LET-BE ISET2 (IMAGE F2)) 
(PUSH-GOAL (= ISET ISET2))) 
(IN-CONTEXT 

((LET-BE X (MEMBER-OF ISET)) 
(WRITE-AS X (APPLY-MAP F Y) 
(Y (IN-U-SET (DOMAIN F))))) 
(NOTE (IS ISET (SUBSET-OF ISET2)))) 
(IN-CONTEXT 

((LET-BE X (MEMBER-OF ISET2)) 
(WRITE-AS X (APPLY-MAP F2 Y) 
(Y (IN-U-SET (DOMAIN F2))))) 
(NOTE (IS ISET2 (SUBSET-OF ISET)))) 
(NOTE-GOAD) 



f*\ 
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A. 4 Relations, Choice, and Relation Struc- 
tures 



Relations are implemented as non-deterministic rules. More specifically, a 
relation is implemented as a rule that maps an object to a set of "possible 
values". Objects x and y are related under the relation r just in case y is a 
member of the set r(x). 

A relation r is "total" just in case for all x in the rule domain of r the set 
r{x) is not empty. A choice function for a total relation r is a rule r' such 
that for all x in the rule domain of r, r'(x) is a member of r(x). The axiom of 
choice (as stated here) says that every total relation has at least one choice 
function. 

Transitive, symmetric, antisymmetric, reflexive and irreflexive relations 
are defined in the standard ways and some standard facts are proven, e.g. a 
transitive irreflexive relation is antisymmetric. 

A relation structure is a set structure with a slot that contains a relation 
on the underlying set. This section contains a surprising number of trivial 
facts about relation srtuctures. 



(T*s. 



276 APPENDIX A. THE STONE REPRESENTATION THEOREM 

(DEFTYPE RELATION 

(LAMBDA C(R RULE)) 

(FORALL ((X (MEMBER-OF (RULE-DOMAIN R)))) 
(IS (APPLY-RULE R X) SET)))) 

(DEFTYPE (RELATED-TO (X (HEMBER-OF (RULE-DOMAIN R))) 
(R RELATION)) 
(MEMBER-OF (APPLY-RULE R X))) 

(DEFTYPE (RELATIOH-RAIGE (R RELATIOH)) 

(FAMILY-UNION (RULE-RAIGE R))) 

(DEFTYPE TOTAL-RELATION 
(LAMBDA ((R RELATION)) 

(FORALL ((X (MEMBER-OF (RULE-DOMAIH R) )) ) 
(EXISTS-SOME (RELATED-TO X R))))) 

(DEFTYPE (CHOICE-FUHCTIOH-FOR (R TOTAL-RELATION)) 
(LAMBDA ((R2 (RULE-BETWEEH 

(RULE-DOMAIN R) 
(RELATIOH-RAHGE R)))) 
(FORALL ((X (MEMBER-OF (RULE-DOMAIH Rl)))) 
(IS (APPLY-RULE R2 X) 

(HEMBER-OF (APPLY-RULE R X)))))) 

;the axiom of choice: 

(AXIOM 
/^\ (FORALL ((R TOTAL-RELATIOH)) 

(EXISTS-SOME (CHOICE-FUHCTION-FOR R)))) 

(DEFTYPE (RELATIOH-OH (S SET)) 
(RULE-BETWEEN S (POWER-SET S))) 

(LEMMA (IH-COHTEXT 

(FORALL ((S SET)) ((LET-BE S SET) 

(EXISTS-SOME (RELATIOH-OH S)))) (LET-BE P (POWER-SET S))) 

(BOTE (EXISTS-SOME (RELATIOH-OH S))) 

(FORALL ((S SET) (IH-COHTEXT ((LET-BE R (RELATION-OH S))) 

(R (RELATIOH-OH S))) (IH-CONTEXT ((PUSH-GOAL (IS R RELATION))) 

(IS R RELATION))) (IH-CONTEXT 

((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S))) 
(LET-BE X (MEMBER-OF S)) 
(LET-BE Y (APPLY-RULE R X))) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 

(NOTE (= (RULE-DOMAIN R) S)))) 



(LEMMA 

(FORALL ((S SET) 

(R (RELATION-ON S))) 
(= (RULE-DOMAIN R) S))) 
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(LEMMA 

(FORALL ((S NON-EMPTY-SET) 
(R RELATION)) 
(=> (AND (FORALL ((X (MEHBER-OF S))) 
(IS (APPLY-RULE R X) 
(SUBSET-OF S))) 
(= (RULE-DOMAIN R) S)) 
(IS R (RELATION-ON S))))) 



(IN-CONTEXT 

((LET-BE S NON-EMPTY-SET) 
(LET-BE R RELATION) 
(SUPPOSE (= (RULE-DOMAIN R) S)) 
(SUPPOSE (FORALL ((X (MEHBER-OF S))) 
(IS (APPLY-RULE R X) 
(SUBSET-OF S)))) 
(PUSH-GOAL (IS R (RELATION-ON S)))) 
(IN-CONTEXT ((LET-BE X (MEHBER-OF S)) 
(LET-BE Y 

(APPLY-RULE R X)) 
(LET-BE D (POWER-SET S))) 
(NOTE-GOAL))) 



(LEHHA 

(FORALL ((S HON-EHPTY-SET) 
(X (MEHBER-OF S)) 
(R (RELATION-ON S)) 
(Y (RELATED-TO IE))) 
(IS Y (HEHBER-OF S)))) 



<r^. 



(IN-CONTEXT 

((LET-BE S NON-EHPTY-SET) 
(LET-BE R (RELATIOH-OS S)) 
(LET-BE X (HEMBER-OF S)) 
(PUSH-GOAL (IS-EVERY (RELATED-TO X R) 
(MEMBER-OF S)))) 
(IK-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (RELATED-TO IE))) 
(LET-BE Y 

(RELATED-TO X R)) 
(LET-BE P (POWER-SET S)) 
(LET-BE S2 

(APPLY-RULE R X))) 
(HOTE-GOAL)) 
(NOTE-GOAD) 



(DEFTERM (PROVIDE-RELATION (R (RELATION-ON (U-SET W))) 

(W SET-STRUCTURE)) 
(ASSIGN DELATION R W)) 

(DEFTYPE RELATION-STRUCTURE 
(LAMBDA ((W SET-STRUCTURE)) 
(AND (IS 'RELATION 

(SIGNATURE-SYMBOL W)) 
(IS (STRUCTURE-COMPONENT W 'RELATION) 
(RELATION-ON (U-SET W)))))) 

(DEFTERH (GET-RELATION (S RELATION-STRUCTURE)) 
(STRUCTURE-COMPONENT S 'RELATION)) 
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(LEMMA 

(FORALL ((W SET- STRUCTURE)) 

(EXISTS-SOME 

(RELATI01I-0H (U-SET U))))) 

(LEMMA 

(FORALL ((¥ SET-STRUCTURE) 

(R (RELATION-OH (U-SET ¥)))) 
(IS (PROVIDE-RELATIOH R W) 

RELATION-STRUCTURE))) 

(LEMMA 

(FORALL ((¥ SET-STRUCTURE) 

(R (RELATION-OH (U-SET ¥)))) 
(= (GET-RELATION 

(PROVIDE-RELATIOH R W)) 
R))) 

(LEMMA 

(FORALL ((W SET-STRUCTURE) 

(R (RELATIOH-OH (U-SET ¥)))) 
(= (U-SET (PROVIDE-RELATION R 10) 
(U-SET W)))) 



(IH-COHTEXT ((LET-BE W SET-STRUCTURE) 
(LET-BE S (U-SET W))) 
(50TE 

(EXISTS-SOME (RELATIOH-OH (U-SET W)))) 
(IH-COHTEXT 

((LET -BE R (RELATIOH-OH (U-SET ¥))) 
(LET-BE ¥2 (PROVIDE-RELATIOH R ¥)) 
(LET-BE SYM1 'RELATIOH) 
(LET-BE SYM2 'U-SET)) 
(BOTE (IS ¥2 RELATION-STRUCTURE)) 
(HOTE (= (GET-RELATIOH ¥2) R)) 
(BOTE (= (U-SET ¥2) (U-SET ¥))))) 



f~\ 



(DEFTERM (MAKE-RELATION-STRUCTURE (R (RELATIOH-OH S)) 

(S SET)) 
(PROVIDE-RELATIOH R (MAKE-SET-STRUCTURE S))) 



(LEMMA 

(FORALL ((S HOH-EMPTY-SET) 

(R (RELATIOH-OH S))) 
(IS (MAKE-RELATIOH-STRUCTURE R S) 
RELATIOH-STRUCTURE) ) ) 

(LEMMA 

(FORALL ((S HOH-EKPTY-SET) 

(R (RELATIOH-OH S))) 
(= (GET-RELATIOH 

(MAKE-RELATION-STRUCTURE R S)) 
R))) 

(LEMMA 

(FORALL ((S NON-EMPTY-SET) 

(R (RELATIOH-OH S))) 
(= (U-SET 

(MAKE-RELATION-STRUCTURE R S)) 
S))) 



(IH-COHTEXT 

((LET -BE S HOH-EMPTY-SET) 
(LET-BE R (RELATIOH-OH S)) 
(LET-BE ¥ (MAKE-RELATIOH-STRUCTURE R S)) 
(LET-BE ¥2 (MAKE-SET-STRUCTURE S))) 
(HOTE (IS ¥ RELATIOH-STRUCTURE)) 
(HOTE (= (GET-RELATION ¥) R)) 
(HOTE (= (U-SET ¥) S))) 



(DEFTERM (RESTRICT-RELATIOH-STRUCTURE 
(R RELATION-STRUCTURE) 
(S (HOH-EMPTY-SUBSET-OF (U-SET R)))) 
(MAKE-RELATION-STRUCTURE 

(RESTRICT -RELATION (GET-RELATION R) S) S)) 
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(LEMMA 

(FORALL ((R RELATION) 

(S2 (SUBSET-OF 

(RULE-DOMAIN R)))) 
(IS (RESTRICT-RELATION R S2) 
(RELATION-ON S2)))) 

(LEMMA 

(FORALL ((R RELATION) 

(S2 (SUBSET-OF 

(RULE-DOMAIN R))) 
(XI (MEMBER-OF S2)) 
(X2 (MEMBER-OF S2))) 
(IFF 
(IS XI 

(RELATED-TO X2 R)) 
(IS XI 

(RELATED-TO X2 

(RESTRICT-RELATION R S2)))))) 



ii*^*(|j- 



(IN-CONTEXT 

((LET-BE R RELATION) 
(LET-BE S (RULE-DOMAIN R) ) 
(LET-BE S2 (SUBSET-OF S)) 
(LET -BE R2 (RESTRICT-RELATION R S2))) 

(IN-CONTEXT 

((PUSH-GOAL (IS R2 (RELATION-ON S2)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S2))) 
(LET-BE X (MEMBER-OF S2)) 
(LET-BE S3 (APPLY-RULE R X) ) 
(LET-BE S4 (APPLY-RULE R2 X))) 
(NOTE-GOAD) 
(IN-CONTEXT 
((SUPPOSE 
(NOT 

(EXISTS-SOME (MEMBER-OF S2)))) 
(LET-BE P (POWER-SET S2))) 
(NOTE-GOAL)) 
(NOTE-GOAD) 

(IN-CONTEXT 

((PUSH-GOAL 

(FORALL ((X (MEMBER-OF S2)) 
(Y (MEHBER-OF S2))) 
(IFF (IS X (RELATED-TO Y R) ) 

(IS X (RELATED-TO Y R2)))))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (HEMBER-OF S2))) 
(LET-BE X (HEMBER-OF S2)) 
(LET-BE Y (MEMBER-OF S2)) 
(LET-BE SR (APPLY-RULE R Y)) 
(LET-BE SR2 (APPLY-RULE R2 Y))) 
(IB-CONTEXT 

((SUPPOSE (IS X (RELATED-TO Y R)))) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAL))) 
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fs 



280 



APPENDIX A. THE STONE REPRESENTATION THEOREM 



/""N 



(LEMMA 

(FORALL ((W RELATION-STRUCTURE)) 
(EXISTS-SOME 

(NON-EMPTY-SUBSET-OF 
(U-SET W))))) 

(LEMMA 

(FORALL ((W RELATION-STRUCTURE) 

(S2 (NON-EMPTY-SUBSET-OF 
(U-SET W)))) 
(IS S2 NON-EMPTY-SET))) 

(LEMMA 

(FORALL ((¥ RELATION-STRUCTURE) 

(S2 (NON-EMPTY-SUBSET-OF 
(U-SET V)))) 
(IS (RESTRICT-RELATION 
(GET-RELATION W) 
S2) 
(RELATION-ON S2)))) 

(LEMMA 

(FORALL ((W RELATION-STRUCTURE) 

(S2 (NON-EMPTY-SUBSET-OF 

(U-SET W))) 
(XI (MEMBER-OF S2)) 
(X2 (MEHBER-OF S2))) 
(IFF 
(IS XI 

(RELATED-TO X2 

(GET-RELATION W))) 
(IS XI 

(RELATED-TO X2 

(RESTRICT-RELATION 
(GET-RELATION V) 
S2)))))) 



(IN-CONTEXT ((LET-BE W RELATION-STRUCTURE) 
(LET-BE S (U-SET V))) 
(NOTE 

(EXISTS-SOME 

(NON-EMPTY-SUBSET-OF (U-SET W)))) 
(IN-CONTEXT 

((LET-BE S2 (NON-EMPTY-SUBSET-OF S))) 
(NOTE (IS S2 NON-EMPTY-SET)) 
(IN-CONTEXT 

((LET-BE R 

(RESTRICT-RELATION 
(GET-RELATION H) 
S2)) 
(LET-BE R2 (GET-RELATION W))) 

(NOTE (IS (RESTRICT-RELATION 
(GET-RELATION W) 
S2) 
(RELATIOH-ON S2))) 
(NOTE 

(FORALL ((?:X (MEMBER-OF S2)) 
(X (MEMBER-OF S2))) 
(IFF 
(IS X 

(RELATED-TO ?:X (GET-RELATION V) ) ) 
(IS X 

(RELATED-TO ?:X 

(RESTRICT-RELATION 
(GET-RELATION W) 
S2))))))))) 
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(LEMMA 

(FORALL <<W RELATION-STRUCTURE) 

(S2 (NON-EMPTY-SUBSET-OF 
(U-SET W)))) 
(IS (RESTRICT-RELATIOH-STRUCTURE 
W 

S2) 
RELATIOH-STRUCTURE) ) ) 

(LEMMA 

(FORALL ((tf RELATION-STRUCTURE) 

(S2 (HON-EMPTY-SUBSET-OF 
(U-SET ¥)))) 
(= (GET-RELATION 

(RESTRICT-RELATIOH-STRUCTURE 
V 

S2)) 
(RESTRICT-RELATIOH 

(GET-RELATIOH V) S2)))) 

(LEMMA 

(FORALL ((W RELATION-STRUCTURE) 

(S2 (NON-EMPTY-SUBSET-OF 
(U-SET W)))) 
(= (U-SET 

(RESTRICT-RELATIOH-STRUCTURE 
W 

S2)) 
S2))) 



(IN-CONTEXT 

((LET-BE W RELATIOH-STRUCTURE) 
(LET-BE S (U-SET W)) 
(LET-BE S2 (NOH-EMPTY-SUBSET-OF S)) 
(LET-BE R 

(RESTRICT-RELATION (GET-RELATIOH H) S2)) 
(LET-BE V2 

(RESTRICT-RELATIOH-STRUCTURE V S2))) 

(HOTE (IS (RESTRICT-RELATIOH-STRUCTURE M S2) 

RELATION-STRUCTURE)) 
(HOTE (= (GET-RELATIOH 

(RESTRICT-RELATIOH-STRUCTURE W S2)) 
(RESTRICT-RELATIOH 
(GET-RELATIOH V) 
S2))) 
(NOTE (= (U-SET 

(RESTRICT-RELATIOH-STRUCTURE V S2)) 
S2))) 



(LEMMA 
(FORALL 

((¥ RELATIOH-STRUCTURE) 
(S2 (ffOH-EMPTY-SUBSET-OF 

(U-SET W))) 
(X (IN-U-SET 

(RESTRICT-RELATIOH-STRUCTURE 
V 
S2)))) 

(IS X (IH-U-SET H)))) 



(IH-CONTEXT 

((LET-BE ¥ RELATIOH-STRUCTURE) 
(LET-BE S2 

(HOH-EMPTY-SUBSET-OF (U-SET H))) 
(LET-BE V2 

(RESTRICT-RELATION-STRUCTURE W S2)) 
(LET-BE X (IN-U-SET W2)) 
(LET-BE S (U-SET W))) 
(NOTE (IS X (IN-U-SET V) ) ) ) 



(DEFTYPE (RIGHT-ADJACENT (X (IN-U-SET R)) 

(R RELATION-STRUCTURE)) 
(RELATED-TO X (GET-RELATION R))) 
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(LEMMA (IN-CONTEXT 

(FORALL ((¥ RELATION-STRUCTURE) ((LET-BE W RELATION-STRUCTURE) 

(X (IH-U-SETW)) (LET-BEX (IN-U-SET W)) 

(Y (RIGHT-ADJACENT IK))) (PUSH-GOAL (IS-EVERY (RIGHT- ADJACENT X W) 

(IS Y (IN-U-SET W)))) (IN-U-SET V)))) 

(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (RIGHT- ADJACENT IV))) 
(LET -BE Y (RIGHT- ADJACENT X W)) 
(LET-BE S (U-SET ¥)) 
(LET-BE R (GET-RELATION W) ) ) 
(NOTE-GOAD) 
(NOTE-GOAD) 

(DEFTYPE (LEFT-ADJACENT (Y (IN-U-SET R)) 

(R RELATION-STRUCTURE)) 
(LAMBDA ((X (IN-U-SET R))) 

(IS Y (RIGHT-ADJACENT X R)))) 

(DEFTYPE (REFLEXIVE-RELATION-ON (S SET)) 
(LAMBDA ((R (RELATION-OS S))) 
(FORALL ((X (MEMBER- OF S))) 
(IS X (RELATED-TO X R))))) 

(DEFTYPE (IRREFLEXIVE-RELATION-ON (S SET)) 
^«S (LAMBDA ((R (RELATION-ON S))) 

' (FORALL ((X (MEMBER-OF S))) 

(NOT (IS X (RELATED-TO X R)))))) 

(DEFTYPE (SYMMETRIC-RELATIOH-ON (S SET)) 
(LAMBDA ((R (RELATION-OH S))) 
(FORALL ((X (MEMBER-OF S)) 
(Y (MEMBER-OF S))) 
(IFF (IS X (RELATED-TO Y R)) 

(IS Y (RELATED-TO X R)))))) 

(DEFTYPE (ANTISYMMETRIC-RELATION-ON (S SET)) 
(LAMBDA ((R (RELATION-ON S))) 
(FORALL ((X (MEMBER-OF S)) 

(Y (OTHER-MEMBER S X))) 
(NOT (AND (IS X (RELATED-TO Y R)) 

(IS Y (RELATED-TO X R))))))) 

(DEFTYPE (TRANSITIVE-RELATION-ON (S SET)) 
(LAMBDA ((R (RELATION-ON S))) 
(FORALL ((X (MEMBER-OF S)) 

(Y (RELATED-TO IB))) 
(IS-EVERY (RELATED-TO Y R) (RELATED-TO X R))))) 
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(DEFTYPE (EQUIVALENCE-RELATION-ON (S SET)) 
(AND-TYPE (SYMMETRIC-RELATION-CIN S) 
(TRANSITIVE-RELATION-ON S) 
(REFLEXIVE-RELATION-ON S))) 

(DEFTYPE EQUIVALENCE-RELATION 
(WRITABLE-AS R 

(R (EQUIVALENCE-RELATION-ON S)) 
(S SET))) 

(DEFTERH (THE-TOTAL-RELATION-ON (S SET)) 
(THE-RULE ((X (MEHBER-OF S))) S)) 



(LEMMA 

(FORALL ((S NON-EMPTY-SET)) 
(IS (THE-TOTAL-RELATION-ON S) 

(EQUIVALENCE-RELATION-ON S)))) 



(IN-CONTEXT 

((LET-BE S NON-EHPTY-SET) 
(LET-BE R (THE-TOTAL-RELATION-ON S)) 
(PUSH-GOAL 

(IS R (EQUIVALENCE-RELATION-ON S)))) 
(IN-CONTEXT ((LET-BE X (MEMBER-OF S))) 
(NOTE (IS R (REFLEXIVE-RELATION-ON S))) 
(IN-CONTEXT ((LET-BE Y (MEHBER-OF S))) 

(NOTE (IS R (SYMMETRIC-RELATIOB-ON S)))) 
(IN-CONTEXT ((LET-BE Y (RELATED-TO IE))) 
(NOTE (IS R TRANSITIVE-RELATION-ON S)))) 
(NOTE-GOAL)) 



/"> 



(LEMMA 
(FORALL 

((S NON-EMPTY-SET) 
(R (TRANSITIVE-RELATION-ON S))) 
(=> 
(IS R 

(IRREFLEXIVE-RELATION-ON S)) 
(IS R 

(ANTISYMMETRIC-RELATION-ON S))))) 



(IN-CONTEXT 

((LET-BE S NON-EMPTY-SET) 
(LET-BE R (TRANSITIVE-RELATION-ON S)) 
(SUPPOSE 

(IS R (IRREFLEXIVE-RELATION-ON S))) 
(PUSH-GOAL 

(IS R (ANTISYMMETRIC-RELATION-ON S)))) 
(IN-CONTEXT ((LET-BE X (HEMBER-OF S))) 
(IN-CONTEXT 

((PUSH-GOAL 

(FORALL ((Y (OTHER-MEMBER S X))) 
(NOT (AND (IS X (RELATED-TO Y R)) 

(IS Y (RELATED-TO X R))))))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (OTHER-MEMBER S X))) 
;the above supposition constrains x 
;and prevents full generalization 
(LET-BE Y (OTHER-MEMBER S X))) 
(NOTE (NOT (AND (IS X (RELATED-TO Y R)) 

(IS Y (RELATED-TO X R))))) 
(NOTE-GOAD) 
(NOTE-GOAD) 
(NOTE-GOAL))) 



^"•^ 



284 APPENDIX A. THE STONE REPRESENTATION THEOREM 



^*\ 



f"\ 



jrn^ 



A.5. PARTIAL ORDERS AND ZORN'S LEMMA 285 

A. 5 Partial Orders and Zorn's Lemma 



A partial order is defined here as a transitive irreflexive relation (every 
such relation is also antisymmetric). A poset (partially ordered set) is a 
relation structure whose relation is a partial order on the underlying set. 
Given a poset p and an element x of the underlying set of p the types 
(LESS-THAN x p) and (LESS-OR-EQUAL-TO x p) are defined in the obvi- 
ous way. A total order is a partial order in which every two elements are 
ordered. 

Let p be a poset, 5 a subset of the underlying set of p, and x an element 
/""n, of the underlying set of p. We say that x is a maximial element of s if it is 

an element of s and no element of s is greater than x. We say that x is the 
greatest member of s if it is a member of s and all members of s are less than 
or equal to x. We say that x is an upper bound of s is every member of s is 
less than or equal to x. The notions of minimal member, least member, and 
lower bound are defined similarly. We say that a: is a least upper bound of 
s if it is the least member of the set of all upper bounds of s; greatest lower 
bounds are defined similarly. 

A chain in a poset p is a subset s of p which is totally ordered by order 
relation of p. An inductive order is a partial order in which every chain has 
an upper bound. Zorn's lemma states that if p is an inductive order and x 
is a member of the underlying set of p then there is a maximal member of p 
which is greater than or equal to x. Zorn's lemma can be proven from the 
axiom of choice but we take it as an axiom. 

(DEFTYPE (PARTIAL-ORDER-OH (S SET)) 
(AUTO-TYPE (TRAHSITIVE-RELATION-OH S) 

(IRREFLEXIVE-RELATIOH-OB S))) 

(DEFTERM (THE-EKPTY-RELATI0H-ON (S SET)) 
(THE -RULE ((X (HEHBER-OF S))) 
THE-EHPTY-SET) ) 
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(LEMMA 

(FORALL ((S NOH-EMPTY-SET)) 
(IS (THE-EMPTY-RELATIOH-ON S) 
(PARTIAL-ORDER-OH S)))) 



(IN-COHTEXT 

((LET-BE S NOB-EMPTY-SET) 
(LET-BE R (THE-EMPTY-RELATIOH-OH S)) 
(PUSH-GOAL (IS R (PARTIAL-ORDER-OH S)))) 
(IH-CONTEXT 

((LET-BE X (MEMBER-OF S))) 
(IN-CONTEXT 

((LET-BE S2 (APPLY-RULE R X))) 
(NOTE (IS R (RELATION-ON S)))) 
(NOTE-GOAL))) 



(DEFTYPE POSET 

(LAMBDA ((S RELATION-STRUCTURE)) 
(IS (GET-RELATION S) 

(PARTIAL-ORDER-OH (U-SET S))))) 



(LEMMA (EXISTS-SOME POSET)) 



(IN-CONTEXT 

((LET-BE S NOH-EMPTY-SET) 
(LET-BE R (PARTIAL-ORDER-OH S)) 
(LET-BE W (MAKE-RELATION-STRUCTURE R S))) 
(NOTE (EXISTS-SOME POSET))) 



(O, 



(DEFTYPE (LESS-THAN (X (IH-U-SET W)) (H POSET)) 
(LEFT- ADJACENT X V) ) 
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(LEHMA 

(FORALL <(P POSET) 

(X (IH-U-SET P))) 
(HOT (IS X 

(LESS-THAU X P))))) 

(LEMMA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(Y (IH-U-SET P))) 
(HOT 
(AND 
(IS X 

(LESS-THAH Y P)) 
(IS Y 

(LESS-THAH X P)))))) 

(LEMHA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(Y (LESS-THAH X P)) 
(Z (LESS-THAH Y P))) 
(IS Z (LESS-THAH X P)))) 



f*\ 



(IH-COHTEXT 

((LET-BE P POSET) 
(LET-BE X (IH-U-SET P))) 

(IH-COHTEXT 

((PUSH-GOAL 

(HOT (IS X (LESS-THAH X P)))) 
(LET-BE R (GET-RELATIOH P) ) 
(LET-BE S (U-SET P))) 
(KOTE-GOAL)) 

(IH-COHTEXT 

((LET-BE Y (IH-U-SET P)) 
(PUSH-GOAL 
(HOT 

(AHD (IS X (LESS-THAH Y P) ) 

(IS Y (LESS-THAH X P))))) 
(LET-BE R (GET-RELATIOH P)) 
(LET-BE S (U-SET P))) 
(HOTE-GOAL)) 

(IH-COHTEXT 

((PUSH-GOAL 

(FORALL ((Y (LESS-THAH IP))) 
(IS-EVERY (LESS-THAH Y P) 

(LESS-THAH X P))))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (LESS-THAN IP))) 
(LET-BE Y (LESS-THAH IP))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (LESS-THAH Y P))) 
(LET-BE Z (LESS-THAH Y P)) 
(LET-BE R (GET-RELATIOH P)) 
(LET-BE S (U-SET P))) 
(HOTE (IS-EVERY (LESS-THAH Y P) 

(LESS-THAH X P)))) 
(HOTE (IS-EVERY (LESS-THAH Y P) 

(LESS-THAH IP))) 
(HOTE-GOAL)) 
(HOTE-GOAL))) 



(DEFTYPE (GREATER-THAH (X (IH-U-SET H)) (H POSET)) 
(RIGHT-AD JACEHT X V) ) 
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(LEHHA 

(FORALL ((P POSED 

(X (IH-U-SET P)) 
(Y (GREATER-THAH X 
(IS X (LESS-THAH Y P)))) 



(IH-COHTEXT 

((LET-BE P POSET) 
(LET-BE X (IH-U-SET P)) 
P) ) ) (PUSH-GOAL 

(FORALL ((Y (GREATER-THAH IP))) 
(IS X (LESS-THAH Y P))))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (GREATER-THAH X P) ) ) 
(LET-BE Y (GREATER-THAH X P)) 
(LET-BE R (GET-RELATIOH P)) 
(LET-BE S (U-SET P))) 
(HOTE-GOAD) 
(HOTE-GOAD) 



(DEFTYPE (LESS-OR-EqUAL-TO (X (IH-U-SET W)) (tf POSET)) 
(OR-TYPE (LESS-THAH X V) (EqUAL-TO X))) 



r^. 



(LEHHA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(Y (LESS-OR-EqUAL-TO IP))) 
(IS Y (IH-U-SET P)))) 

(LEHMA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(Y (LESS-OR-EqUAL-TO X P)) 
(Z (LESS-OR-EqUAL-TO Y P))) 
(IS Z (LESS-OR-EqUAL-TO X P)))) 



(IH-COHTEXT 

((LET-BE P POSET) 
(LET-BE X (IH-U-SET P)) 
(LET-BE Y (LESS-OR-EqUAL-TO IP))) 
(IN-COHTEXT 

((PUSH-GOAL (IS Y (IH-U-SET P)))) 
(IN-COHTEXT 

((SUPPOSE (IS Y (LESS-THAH X P)))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
(IH-COHTEXT 

((LET-BE Z (LESS-OR-EqUAL-TO Y P)) 
(PUSH-GOAL 

(IS Z (LESS-OR-EqUAL-TO X P)))) 
(IH-COHTEXT ((SUPPOSE (= Y X))) 

(HOTE-GOAD) 
(IH-COHTEXT 

((SUPPOSE (IS Y (LESS-THAH X P)))) 
(IH-COHTEXT 

((SUPPOSE (IS Z (LESS-THAH Y P)))) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD)) 



(LEHMA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(Y (LESS-OR-EQUAL-TO IP))) 
(=> (IS X (LESS-OR-EqUAL-TO Y P)) 
(= X Y)))) 



(IH-COHTEXT 

((LET-BE P POSET) 
(LET-BE X (IH-U-SET P)) 
(LET-BE Y (LESS-OR-EqUAL-TO X P)) 
(SUPPOSE 

(IS X (LESS-OR-EQUAL-TO Y P)))) 
(BOTE (= X Y))) 



(DEFTYPE (GREATER-OR-EQUAL-TO (X (IH-U-SET W)) 

(¥ POSET)) 
(OR-TYPE (GREATER-THAH X V) (EQUAL-TO X))) 
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(LEHMA 
(FORALL 

C(P POSET) 
(X (IH-U-SET P)) 
(Y (GREATER-OR-EQUAL-TO IP))) 
(IS Y (IH-U-SET P)))) 



(IB-COBTEXT 

((LET-BE P POSET) 
(LET-BE X (IH-U-SET P)) 
(LET-BE Y (GREATER-OR-EQUAL-TO X P)) 
(PUSH-GOAL (IS Y (IH-U-SET P)))) 
(IH-COHTEXT 

((SUPPOSE (IS Y (GREATER-THAH X P)))) 
(BOTE-GOAD) 
(HOTE-GOAD) 



fS^ 



(LEMMA 
(FORALL ((P POSET) 

(Y (IH-U-SET P)) 
(X (IH-U-SET P))) 
(=> (IS Y 

(LESS-OR-EQUAL-TO X P)) 
(IS X 

(GREATER-OR-EQUAL-TO Y P))))) 

(LEMMA 

(FORALL ((P POSET) 

(Y (IH-U-SET P)) 
(X (IH-U-SET P))) 
(=> (IS Y 

(GREATER-OR-EQUAL-TO X P)) 
(IS X 

(LESS-OR-EQUAL-TO Y P))))) 



(IB-CONTEXT ((LET-BE P POSET) 

(LET-BE X (IH-U-SET P)) 
(LET-BE Y (IH-U-SET P))) 
(IH-COHTEXT 
((SUPPOSE 

(IS Y (LESS-OR-EQUAL-TO IP))) 
(PUSH-GOAL 

(IS X (GREATER-OR-EQUAL-TO Y P)))) 
(IH-COBTEXT 

((SUPPOSE (IS Y (LESS-THAH X P)))) 
(HOTE-GOAL) ) 
(HOTE-GOAD) 
(IH-COBTEXT 
((SUPPOSE 

(IS Y (GREATER-OR-EQUAL-TO X P))) 
(PUSH-GOAL 

(IS X (LESS-OR-EQUAL-TO Y P)))) 
(IH-COHTEXT 
((SUPPOSE 

(IS Y (GREATER-THAH X P)))) 
(HOTE-GOAD) 
(HOTE-GOAD)) 



(DEFTERM (RESTRICT-ORDER 
(0 POSET) 

(S (HOB-EMPTY-SUBSET-OF 
(U-SET 0)))) 
(RESTRICT-RELATIOH-STRUCTURE S)) 
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(LEHHA 
(FORALL 

((SI HOH-EHPTY-SET) 
(Rl (TRAHSITIVE-RELATIOH-OH SI)) 
(S2 (SUBSET-OF SI))) 
(IS (RESTRICT-RELATIOH Rl S2) 

(TRAHSITIVE-RELATIOH-OH S2)))) 



/— s 



(IH-COHTEXT 

((LET-BE SI HOH-EHPTY-SET) 
(LET-BE Rl (TRAHSITIVE-RELATIOH-OH SI)) 
(LET-BE S2 (SUBSET-OF SI)) 
(LET-BE R2 (RESTRICT-RELATIOS Rl S2)) 
(PUSH-GOAL 

(IS R2 (TRAHSITIVE-RELATIOH-OH S2)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEHBER-OF S2))) 
(LET-BE X (HEHBER-OF S2))) 
(IH-COHTEXT 

((PUSH-GOAL 

(FORALL ((Y (RELATED-TO X R2))) 
(IS-EVERY (RELATED-TO Y R2) 

(RELATED-TO X R2))))) 
(IH-COHTEXT ((SUPPOSE 

(EXISTS-SOME 

(RELATED-TO X R2))) 
(LET-BE Y (RELATED-TO X R2))) 
(IH-COHTEXT 

( (PUSH-GOAL 

(IS-EVERY (RELATED-TO Y R2) 

(RELATED-TO X R2)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(RELATED-TO Y R2))) 
(LET-BE Z (RELATED-TO Y R2))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
(HOTE-GOAL) ) 
(HOTE-GOAD) 
(HOTE-GOAL)) 
(HOTE-GOAD) 



(LEHHA 

(FORALL ((S SET)) 
(EXISTS-SOHE 

(IRREFLEXIVE-RELATIOH-OH S)))) 



(LEHMA 
(FORALL 

((SI HOH-EHPTY-SET) 
(Rl (IRREFLEXIVE-RELATIOH-OH SI)) 
(S2 (SUBSET-OF SI))) 
(IS (RESTRICT-RELATIOH Rl S2) 

(IRREFLEXIVE-RELATIOH-OH S2)))) 



(IH-COHTEXT 

((LET -BE S SET) 
(LET-BE R (THE-EHPTY-RELATIOH-OH S))) 
(HOTE 

(EXISTS-SOHE 

(IRREFLEXIVE-RELATIOH-OH S)))) 
(IH-COHTEXT 

((LET-BE SI HOH-EHPTY-SET) 
(LET-BE Rl (IRREFLEXIVE-RELATIOH-OH SI)) 
(LET-BE S2 (SUBSET-OF SI)) 
(LET-BE R2 (RESTRICT-RELATIOH Rl S2)) 
(PUSH-GOAL 

(IS R2 (IRREFLEXIVE-RELATIOH-OH S2)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (HEHBER-OF S2))) 
(LET-BE X (HEHBER-OF S2))) 
(HOTE-GOAD) 
(HOTE-GOAD) 
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(LEHHA 

(FORALL ((P POSET) 

(S2 (NON-EMPTY-SUBSET-OF 
(U-SET P)))) 
(IS (RESTRICT- ORDER P S2) 
POSET))) 

(LEHHA 

(FORALL ((P POSET) 

(S2 (HOH-EHPTY-SUBSET-OF 
(U-SET P))) 



(IH-COHTEXT 

((LET-BE P POSET) 
(LET-BE S2 (HOH-EHPTY-SUBSET-OF (U-SET P))) 
(LET-BE P2 (RESTRICT-ORDER P S2))) 
(IH-COHTEXT 

((LET-BE SI (U-SET P)) 
(LET-BE Rl (GET-RELATIOH P)) 
(LET-BE R2 (GET-RELATIOH P2))) 
(BOTE (IS P2 POSET)) 

(IH-COHTEXT ((LET-BE X (IH-U-SET P2)) 
(LET-BE Y (IH-U-SET P2))) 



/ON 



u v.xfl-u-or.i 




(HOTE (IS X (IH-U-SET P))) 


(RESTRICT-ORDER P S2)))) 




(HOTE 


(IS X (IH-U-SET P)))) 




(IFF 


(LEHMA 




(IS X (LESS-THAH Y P2)) 


(FORALL ((P POSET) 




(IS X (LESS-THAH Y P))))))) 


(S2 (HOH-EHPTY-SUBSET-OF 






(U-SET P))) 






(Y (IH-U-SET 






(RESTRICT-ORDER P S2))) 






(X (IH-U-SET 






(RESTRICT-ORDER P S2)))) 






(IFF 






(IS X 






(LESS-THAH Y 






(RESTRICT-ORDER P S2))) 






(IS X 






(LESS-THAH Y P))))) 






(LEMMA 


(IH- 


■COHTEXT 



(FORALL ((P POSET) 

(S2 (HOH-EHPTY-SUBSET-OF 

(U-SET P))) 
(Y (IH-U-SET 

(RESTRICT-ORDER P S2))) 
(X (IH-U-SET 

(RESTRICT-ORDER P S2)))) 
(IFF 
(IS X 

(LESS-OR-EQUAL-TO Y 

(RESTRICT-ORDER P S2))) 
(IS X 

(LESS-OR-EQUAL-TO Y P))))) 



(LESS-OR-EQUAL-TO Y P2)) 
(LESS-OR-EQUAL-TO Y P))))) 



((LET-BE P POSET) 
(LET-BE S2 (HOH-EMPTY-SUBSET-OF 

(U-SET P))) 
(LET-BE P2 (RESTRICT-ORDER P S2))) 

(IH-COHTEXT 

((LET-BE X (IH-U-SET P2)) 
(LET-BE Y (IH-U-SET P2))) 
(IH-COHTEXT 

( (PUSH-GOAL 
(IFF (IS X 
(IS X 
(IH-COHTEXT 
((SUPPOSE 

(IS X (LESS-OR-EQUAL-TO Y P2)))) 
(IH-COHTEXT ((SUPPOSE (= X Y))) 

(HOTE-GOAL)) 
(HOTE-GOAL)) 
(IH-COHTEXT 
((SUPPOSE 

(IS X (LESS-OR-EQUAL-TO Y P)))) 
(IH-COHTEXT ((SUPPOSE (= X Y))) 

(NOTE-GOAL)) 
(HOTE-GOAL)) 
(HOTE-GOAL)))) 
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(DEFTYPE (TOTAL-ORDER-OH (S SET)) 
(LAMBDA ((R (PARTIAL-ORDER-DH S))) 
(FORALL ((X (MEMBER-OF S)) 
(Y (MEMBER-OF S))) 
(OR (= X Y) 

(IS X (RELATED-TO Y R)) 
(IS Y (RELATED-TO X R)))))) 

(DEFTYPE TOTALLY-ORDERED-SET 

(LAMBDA ((S RELATION-STRUCTURE)) 
(IS (GET-RELATIOH S) 

(TOTAL-ORDER-ON (U-SET S))))) 



(LEMMA (EXISTS-SOME 
TOTALLY-ORDERED-SET) ) 



(IN-CONTEXT 

((LET-BE S SIHGLETOH-SET) 
(LET-BE R (THE-EMPTY-RELATIOH-OB S)) 
(LET-BE V (MAKE-RELATIOH-STRUCTURE R S))) 
(HOTE (EXISTS-SOME TOTALLY-ORDERED-SET))) 



(LEMMA 

(FORALL (Of TOTALLY-ORDERED-SET)) 
(IS V POSET))) 



(IN-CONTEXT 

( (LET-BE V TOTALLY-ORDERED-SET) 
(PUSH-GOAL (IS W POSET)) 
(LET-BE R (GET-RELATIOH V) ) 
(LET-BE S (U-SET ¥))) 
(HOTE-GOAD) 



f^, 



(LEMMA 

(FORALL ((H TOTALLY-ORDERED-SET) 
(X (IN-U-SET W)) 
(Y (IN-U-SET H))) 
(OR (IS X 

(LESS-OR-EQUAL-TO Y W)) 
(IS Y 

(LESS-OR-EQUAL-TO X W))))) 



(IH-COHTEXT 

((LET-BE V TOTALLY-ORDERED-SET) 
(LET-BE X (IH-U-SET W) ) 
(LET-BE Y (IH-U-SET 10) 
(LET-BE R (GET-RELATIOH V)) 
(LET-BE S (U-SET W))) 
(IH-COHTEXT 

((PUSH-GOAL 

(OR (IS X (LESS-OR-EQUAL-TO Y W)) 

(IS Y (LESS-OR-EQUAL-TO X H))))) 
(IH-COHTEXT ((SUPPOSE (= X Y))) 

(HOTE-GOAD) 
(IH-COHTEXT ((SUPPOSE (IS X (LESS-THAH Y H)))) 

(HOTE-GOAD) 
(HOTE-GOAD) ) 



(DEFTYPE (MIHIMAL-ELEMENT-OF (V POSET)) 
(LAMBDA ((X (IH-U-SET W))) 

(HOT (EXISTS-SOME (LESS-THAH X H))))) 

(DEFTYPE (MAXIMAL-ELEMEHT-OF (H POSET)) 
(LAMBDA ((X (IH-U-SET W))) 

(HOT (EXISTS-SOME (GREATER-THAH X H))))) 

(DEFTYPE (UPPER-BOUHD-OF (S (SUBSET-OF (U-SET V))) 
(W POSET)) 
(LAMBDA ((A (IN-U-SET W))) 
(IS-EVERY (MEMBER-OF S) 

(LESS-OR-EQUAL-TO A W)))) 
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(LEHMA 

(FORALL ((W POSET) 

(X (IH-U-SET W)) 
(Y (IH-U-SET W))) 

(IS-EVERY 
(AHD-TYPE 

(GREATER-OR-EQUAL-TO X V) 
(GREATER-OR-EQUAL-TO Y 10) 
(UPPER-BOUHD-OF (HAKE-SET X Y) 
TO))) 



f~\ 



(IH-COHTEXT 

((LET-BE H POSET) 
(LET-BE X (IH-U-SET W)) 
(LET-BE Y (IH-U-SET W)) 
(PUSH-GOAL 
(IS-EVERY 

(AHD-TYPE (GREATER-OR-EQUAL-TO X H) 

(GREATER-OR-EQUAL-TO Y W)) 
(UPPER-BOUHD-OF (HAKE-SET X Y) W)))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE 
(AHD-TYPE 

(GREATER-OR-EQUAL-TO X V) 
(GREATER-OR-EQUAL-TO Y V)))) 
(LET-BE Z (AHD-TYPE 

(GREATER-OR-EQUAL-TO X W) 
(GREATER-OR-EQUAL-TO Y W)))) 
(IH-CONTEXT 

((PUSH-GOAL 
(IS z 

(UPPER-BOUHD-OF (HAKE-SET X Y) W) ) ) ) 

(IH-COHTEXT ((LET-BE S (HAKE-SET X Y)) 
(LET-BE Z2 (HEHBER-OF S))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS Z (GREATER-OR-EQUAL-TO Z2 H)))) 
(IH-COHTEXT ((SUPPOSE (= Z2 X))) 

(HOTE-GOAD) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 



(LEMMA 

(FORALL ((W POSET) 

(Y (IH-U-SET H)) 
(X (IH-U-SET W))) 
(IS-EVERY 

(UPPER-BOUHD-OF (HAKE-SET X Y) W) 
(GREATER-OR-EQUAL-TO X H)))) 



(IH-COHTEXT 

((LET-BE W POSET) 
(LET-BE X (IH-U-SET 10) 
(LET-BE Y (IH-U-SET V)) 
(LET-BE S (HAKE-SET X Y)) 
(PUSH-GOAL 

(IS-EVERY (UPPER-BOUHD-OF S V) 

(GREATER-OR-EQUAL-TO X W)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (UPPER-BOUHD-OF S «))) 
(LET-BE Z (UPPER-BOUHD-OF SI))) 
(HOTE-GOAD) 
(HOTE-GOAD) 



/*"*% 
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(LEMMA 

(FORALL ((P POSET) 

(X (IH-U-SET P)) 
(S (SUBSET-DF (U-SET P)))) 
(IS-EVERY 
(AND- TYPE 

(GREATER-OR-EQUAL-TO X P) 
(UPPER-BOUND-OF S P)) 
(UPPER-BOUHD-OF 
(IHSERT X S) 
P)))) 



/""> 



(IB-CONTEXT 

((LET-BE P POSET) 
(LET-BE S (SUBSET-OF (U-SET P))) 
(LET-BE X (IB-U-SET P)) 
(PUSH-GOAL 
(IS-EVERY 

(AHD-TYPE (GREATER-OR-EQUAL-TO X P) 

(UPPER-BOUHD-OF S P)) 
(UPPER-BOUND-OF (INSERT X S) P)))) 
(IB-COBTEXT 
((SUPPOSE 

(EXISTS-SOME 

(AND-TYPE (GREATER-OR-EQUAL-TO X P) 
(UPPER-BOUBD-OF S P)))) 
(LET-BE Y 

(ABD-TYPE (GREATER-OR-EQUAL-TO X P) 
(UPPER-BOUHD-OF S P)))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS Y (UPPER-BOUHD-OF (INSERT X S) P)))) 
(IB-COHTEXT ((LET-BE S2 (IBSERT X S)) 

(LET-BE Z (HEMBER-OF S2))) 
(IN-COBTEXT 

((PUSH-GOAL 

(IS Y (GREATER-OR-EQUAL-TO Z P)))) 
(IB-COHTEXT ((SUPPOSE (= Z X))) 

(BOTE-GOAL)) 
(NOTE-GOAD) 
(HOTE-GOAL))) 
(BOTE-GOAL)) 
(NOTE-GOAD) 



(DEFTYPE (LOWER-BOUBD-OF (S (SUBSET-OF (U-SET W))) 
(W POSET)) 
(LAMBDA ((A (IH-U-SET ¥)) ) 

(IS-EVERY (MEMBER-OF S) (GREATER-OR-EQUAL-TO A H)))) 
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rf"^ 1 '"\ 



EMMA 


(IH-COHTEXT 


(FORALL ((W POSET) 


((LET-BE W POSET) 


(X (I1I-U-SET W)) 


(LET-BE X (IH-U-SET W)) 


(Y (IH-U-SET W))) 


(LET-BE Y (IH-U-SET W)) 


(IS-EVERY 


(PUSH-GOAL 


(AHD-TYPE 


(IS-EVERY 


(LESS-OR-EQUAL-TO X W) 


(AHD-TYPE (LESS-OR-EQUAL-TO X V) 


(LESS-OR-EQUAL-TO ! I)) 


(LESS-OR-EQUAL-TO I!)) 


(LOWER-BOUIID-OF 


(LOWER-BOUHD-OF 


(HAKE-SET X Y) 


(HAKE-SET X Y) 


W)))) 


V)))) 




(IH-COHTEXT 




((SUPPOSE 




(EXISTS-SOHE 




(AHD-TYPE 




(LESS-OR-EQUAL-TO X W) 




(LESS-OR-EQUAL-TO Y V) ) ) ) 




(LET-BE Z (AHD-TYPE 




(LESS-OR-EQUAL-TO X V) 




(LESS-OR-EQUAL-TO Y V)))) 




(IH-COHTEXT 




((PUSH-GOAL 




(IS z 




(LOWER-BOUHD-OF 




(HAKE-SET X Y) 




W)))) 



(IH-COHTEXT ((LET-BE S (MAKE-SET X Y)) 
(LET-BE Z2 (HEHBER-OF S))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS Z (LESS-OR-EQUAL-TO Z2 W)))) 
(IH-COHTEXT ((SUPPOSE (= Z2 X))) 

(HOTE-GOAD) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 



(LEMMA 

(FORALL ((H POSET) 

(Y (IH-U-SET H)) 
(X (IH-U-SET H))) 
(IS-EVERY 

(LOWER-BOUHD-OF (HAKE-SET X Y) W) 
(LESS-OR-EQUAL-TO X W)))) 



(IH-COHTEXT 

((LET-BE W POSET) 
(LET-BE X (IH-U-SET W) ) 
(LET-BE Y (IH-U-SET V)) 
(LET -BE S (HAKE-SET X Y)) 
(PUSH-GOAL 

(IS-EVERY (LOWER-BOUHD-OF S W) 

(LESS-OR-EQUAL-TO X W)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (LOWER-BOUHD-OF SI))) 
(LET-BE Z (LOWER-BOUHD-OF S W))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 



f~\ 
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(LEHMA (IB-COBTEXT 

(FORALL ((P POSET) ((LET-BE P POSET) 

(X (IB-U-SETP)) (LET -BE S (SUBSET-OF (U-SET P))) 

(S (SUBSET-OF (U-SET P)))) (LET-BEX (IB-U-SETP)) 
(IS-EVERY (PUSH-GOAL 

(AHD-TYPE (IS-EVERY 

(LESS-OR-EQUAL-TO X P) (ABD-TYPE (LESS-OR-EQUAL-TO X P) 

(LOWER-BOUBD-OF S P)) (LOWER-BOUBD-OF S P) ) 

(LOWER-BOUBD-OF (LOWER-BOUBD-OF (IBSERT X S) P)))) 

(IBSERT X S) (IS-COBTEXT 

P)))) ((SUPPOSE 

(EXISTS-SOHE 

(ABD-TYPE (LESS-OR-EQUAL-TO X P) 
(LOWER-BOUBD-OF S P)))) 
(LET-BE Y 

(ABD-TYPE (LESS-OR-EQUAL-TO X P) 
(LOWER-BOUBD-OF S P)))) 
(IB-COBTEXT 

((PUSH-GOAL 

(IS Y (LOWER-BOUBD-OF (IBSERT X S) P)))) 
(IB-COBTEXT ((LET-BE S2 (IBSERT X S)) 

(LET-BE Z (HEHBER-OF S2))) 
(IB-COBTEXT 

((PUSH-GOAL 

(IS Y (LESS-OR-EQUAL-TO Z P)))) 
(IB-COHTEXT ((SUPPOSE (= Z X))) 

(BOTE-GOAD) 
(BOTE-GOAL)) 
(BOTE-GOAD) ) 
(BOTE-GOAD) 
(BOTE-GOAD) 

(DEFTYPE (LEAST-HEHBER-OF (S (SUBSET-OF (U-SET W))) 

(W POSET)) 
(LAHBDA ((X (HEHBER-OF S))) 
(IS-EVERY (HEHBER-OF S) 

(GREATER-OR-EQUAL-TO X W)))) 
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(LEHHA 

(FORALL ((W POSET) 

(S (SUBSET-OF-U-SET ¥))) 
(IS-EVERY (LEAST-KEMBER-OF S V) 
(IH-U-SET ¥)))) 

(LEMMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET W)))) 
(AT-MOST-OHE 

(LEAST-MEMBER-OF S W)))) 



(IH-COHTEXT 

((LET-BE V POSET) 
(LET-BE S (SUBSET-OF-U-SET ¥) ) ) 
(IH-COHTEXT 

( (PUSH-GOAL 

(IS-EVERY (LEAST-MEMBER-OF S V) 
(IH-U-SET W)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(LEAST-MEMBER-OF S ¥))) 
(LET-BE X (LEAST-MEMBER-DF S V)) 
(LET-BE S (U-SET W))) 
(HOTE-GOAL)) 
(NOTE-GOAD) 
(IH-COHTEXT 

((PUSH-GOAL 

(AT-MOST-OHE (LEAST-MEMBER-OF S W)))) 
(IJT-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (LEAST-MEMBER-OF SB)) 
(LET-BE X (LEAST-MEMBER-OF S ¥)) 
(LET-BE Y (LEAST-MEMBER-OF S «))) 
(HOTE-GOAL)) 
(HOTE-GOAL))) 



f*\ 



(DEFTYPE (GREATEST-MEMBER-OF (S (SUBSET-OF (U-SET W))) 

(W POSET)) 
(LAMBDA ((X (MEMBER-OF S))) 
(IS-EVERY (MEMBER-OF S) 

(LESS-OR-EqUAL-TO X ¥)))) 



/*"> 
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(LEMMA 
(FORALL ((H POSET) 

(S (SUBSET-OF-U-SET W)) 
(X (GREATEST-MEMBER-OF SV))) 
(IS X (IN-U-SET W)))) 

(LEHMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET H)))) 
(AT-MOST-ONE 

(GREATEST-MEMBER-OF S «)))) 



f~\ 



(IH-COHTEXT 

( (LET-BE H POSET) 
(LET-BE S (SUBSET-OF-U-SET V))) 
(IN-COHTEXT 

((PUSH-GOAL 

(IS-EVERY (GREATEST-MEMBER-OF S W) 
(IH-U-SET W)))) 
(IH-CONTEXT 
((SUPPOSE 

(EXISTS-SOME 

(GREATEST-MEMBER-OF SI))) 
(LET-BE X (GREATEST-MEMBER-OF S V)) 
(LET-BE S (U-SET W))) 
(BOTE-GOAD) 
(HOTE-GOAD) 
(IH-COHTEXT 

( (PUSH-GOAL 

(AT-MOST-OHE (GREATEST-MEMBER-OF S «)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(GREATEST-MEMBER-OF SI))) 
(LET-BE X (GREATEST-MEHBER-OF S W)) 
(LET-BE Y (GREATEST-MEMBER-OF S «))) 
(NOTE-GOAL)) 
(HOTE-GOAD) ) 



(DEFTYPE (LEAST-UPPER-BOUHD-OF (S (SUBSET-OF (U-SET W))) 

(V POSET)) 
(LEAST-MEMBER-OF 

(THE-SET-OF-ALL (UPPER-BOUHD-OF S H)) W)) 
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/**% 



(LEMMA 

(FORALL ((V POSET) 

(S (SUBSET-OF (U-SET «)))) 
(IS (THE-SET-OF-ALL 

(UPPER-BOUND-OF S W) ) 
(SUBSET-OF (U-SET I))))) 

(LEKMA 

(FORALL ((I POSET) 

(S (SUBSET-OF (U-SET W)))) 
(AT-MOST-ONE 

(LEAST-UPPER-BOUHD-OF S W)))) 

(LEHMA 
(FORALL 

((W POSET) 
(S (SUBSET-OF (U-SET W))) 
(X (LEAST-UPPER-BOUHD-OF 5 «))) 
(IS X (UPPER-BOUHD-OF S W)))) 

(LEMMA 

(FORALL ((I POSET) 

(S (SUBSET-OF (U-SET W)))) 
(=> (EXISTS-SOME 

(UPPER-BOUHD-OF S H)) 
(FORALL 

((X (UPPER-BOUHD-OF S V))) 
(=> 
(IS-EVERY 

(UPPER-BOUHD-OF S H) 
(GREATER-OR-EQUAL-TO X H)) 
(IS X 

(LEAST-UPPER-BOUHD-OF S 
tt))))))) 

(LEMMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET W)))) 
(=> (EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF S W)) 
(FORALL 

((Y (UPPER-BOUHD-OF St))) 
(IS-EVERY 

(LEAST-UPPER-BOUHD-OF S H) 
(LESS-OR-EQUAL-TO Y H)))))) 



(IH-COHTEXT 

((LET-BE W POSET) 
(LET-BE S (SUBSET-OF (U-SET W))) 
(LET-BE S2 (THE-SET-OF-ALL 

(UPPER-BOUHD-OF S W)))) 
(IH-COHTEXT ((LET-BE S3 (U-SET ¥)) 

(PUSH-GOAL (IS S2 (SUBSET-OF S3)))) 
(IH-COHTEXT ((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S2))) 
(LET -BE X (MEMBER-OF S2))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 

(NOTE (AT-MOST-OHE (LEAST-UPPER-BOUHD-OF S V))) 

(IH-COHTEXT 

((PUSH-GOAL 

(IS-EVERY (LEAST-UPPER-BOUHD-OF S M) 
(UPPER-BOUHD-OF S W)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF SI))) 
(LET-BE X (LEAST-UPPER-BOUHD-OF SI))) 
(HOTE-GOAD) 
(HOTE-GOAL)) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (UPPER-BOUHD-OF S W))) 
(LET-BE X (UPPER-BOUHD-OF S V)) 
(SUPPOSE 

(IS-EVERY (UPPER-BOUHD-OF S W) 

(GREATER-OR-EQUAL-TO X V)))) 
(DOTE (IS X (LEAST-UPPER-BOUND-OF S W)))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF SI))) 
(LET-BE X (LEAST-UPPER-BOUHD-OF S W)) 
(LET-BE Y (UPPER-BOUHD-OF SI))) 
(BOTE (IS X (LESS-OR-EQUAL-TO Y I))))) 
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(LEMMA 

(FORALL ((W POSET) 

(X (IH-U-SET V)) 
(Y (IH-U-SET W))) 
(AT-MOST-OHE 

(LEAST-UPPER-BOUHD-OF 
(HAKE-SET X Y) 
W)))) 

(LEHBA 

(FORALL ((W POSET) 

(X (IH-U-SET W)) 
(Y (IH-U-SET W))) 
(=> 

(EXISTS-SOHE 

(LEAST-UPPER-BOUND-OF 
(MAKE-SET X Y) 
V)) 

(FORALL ((Z2 (UPPER-BOUHD-OF 
(MAKE-SET X Y) 
W))) 
(IS (THE (LEAST-UPPER-BOUND-OF 
(MAKE-SET X Y) 
V)) 
(LESS-OR-EQUAL-TO Z2 
W)))))) 



(IH-COHTEXT 

((LET-BE W POSET) 
(LET-BE X (IH-U-SET W)) 
(LET-BE Y (IH-U-SET »)) 
(LET-BE S (MAKE-SET X Y))) 

(HOTE (AT-MOST-OHE 

(LEAST-UPPER-BOUHD-OF S W))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF SI))) 
(LET-BE Z 

(THE (LEAST-UPPER-BOUHD-OF S W)))) 
(IH-COHTEXT 

((LET-BE Z2 (UPPER-BOUHD-OF SI))) 
(HOTE (IS Z (LESS-OR-EQUAL-TO Z2 W)))))) 



(DEFTYPE (GREATEST-LOWER-BOUHD-OF 

(S (SUBSET-OF (U-SET W))) 
(W POSET)) 
(GREATEST-MEHBER-OF 
(THE-SET-OF-ALL 

(LOWER-BOUHD-OF S ¥)) 
H)) 
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(LEMMA 

(FORALL ((tf POSET) 

(S (SUBSET-OF (U-SET W)))) 
(IS (THE-SET-OF-ALL 

(LOWER-BOUND-OF S W)) 
(SUBSET-OF (U-SET W))))) 

(LEMMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET W)))) 
(AT-BOST-ONE 

(GREATEST-LOWER-BOUND-OF S W)))) 

(LEMMA 
(FORALL 

((W POSET) 
(S (SUBSET-OF (U-SET W))) 
(X (GREATEST-LOWER-BOUND-OF SI))) 
(IS X (LOWER-BOUND-OF S W)))) 

(LEMMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET W)))) 
(=> (EXISTS-SOME 

(LOWER-BOUND-OF SI)) 
(FORALL 

((X (LOWER-BOUND-OF SI))) 
(=> 

(IS-EVERY 

(LOWER-BOUND-OF S W) 
(LESS-OR-EQUAL-TO X W)) 

(IS X 

(GREATEST-LOWER-BOUND-OF S 
W))))))) 

(LEMMA 

(FORALL ((W POSET) 

(S (SUBSET-OF (U-SET W)))) 
(=> (EXISTS-SOME 

(GREATEST-LOWER-BOUND-OF S W)) 
(FORALL 

((Y (LOWER-BOUND-OF SI))) 
(IS-EVERY 

(GREATEST-LOWER-BOUND-OF S W) 
(GREATER-OR-EQUAL-TO Y W)))))) 



(IN-CONTEXT 

((LET-BE W POSET) 
(LET-BE S (SUBSET-OF (U-SET W))) 
(LET-BE S2 (THE-SET-OF-ALL 

(LOWER-BOUND-OF S W)))) 
(IN-CONTEXT ((LET-BE S3 (U-SET W)) 

(PUSH-GOAL (IS S2 (SUBSET-OF S3)))) 
(IN-CONTEXT ((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S2))) 
(LET-BE X (MEMBER-OF S2))) 
(NOTE-GOAL)) 
(NOTE-GOAD) 

(NOTE 

(AT-MOST-ONE 

(GREATEST-LOWER-BOUND-OF SI))) 

(IN-CONTEXT 

((PUSH-GOAL 

(IS-EVERY (GREATEST-LOWER-BOUND-OF S W) 
(LOWER-BOUND-OF S W)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME 

(GREATEST-LOWER-BOUND-OF SI))) 
(LET-BE X (GREATEST-LOWER-BOUND-OF S W) ) ) 
(NOTE-GOAL)) 
(NOTE-GOAL)) 

(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME (LOWER-BOUND-OF SI))) 
(LET-BE X (LOWER-BOUND-OF S W)) 
(SUPPOSE 

(IS-EVERY (LOWER-BOUND-OF S W) 

(LESS-OR-EQUAL-TO X W)))) 
(NOTE (IS X (GREATEST-LOWER-BOUND-OF S W)))) 

(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME 

(GREATEST-LOWER-BOUND-OF S W))) 
(LET-BE X (GREATEST-LOWER-BOUND-OF S W)) 
(LET-BE Y (LOWER-BOUHD-OF SI))) 
(NOTE (IS X (GREATER-OR-EQUAL-TO Y W))))) 
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(LEMMA 

(FORALL ((W POSET) 

(X (IH-U-SET V)) 
(Y (IH-U-SET W))) 
(AT-MOST-ONE 

(GREATEST-LOWER-BOUND-OF 
(MAKE-SET X Y) 
W)))) 

(LEMMA 

(FORALL ((H POSET) 

(X (IN-U-SET W)) 
(Y (IH-U-SET W))) 
(=> 

(EXISTS-SOME 

(GREATEST-LOWER-BOUND-OF 
(MAKE-SET X Y) 
V)) 

(FORALL 

((Z2 (LOWER-BOUHD-OF 
(MAKE-SET X Y) 
W))) 
(IS (THE 

(GREATEST-LOWER-BOUHD-OF 
(MAKE-SET X Y) 
V)) 
(GREATER-OR-EQUAL-TO Z2 
W)))))) 



(IH-COHTEXT 

((LET-BE W POSET) 
(LET-BE X (IH-U-SET W)) 
(LET-BE Y (IH-U-SET W)) 
(LET-BE S (MAKE-SET X Y))) 

(HOTE 

(AT-MOST-OHE 

(GREATEST-LOWER-BOUHD-OF S »))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(GREATEST-LOWER-BOUHD-OF SI))) 
(LET-BE Z 

(THE (GREATEST-LOWER-BOUHD-OF S W)))) 
(IH-COHTEXT 

((LET-BE Z2 (LOWER-BOUHD-OF SI))) 
(HOTE (IS Z (GREATER-OR-EQUAL-TO Z2 W)))))) 



(DEFTYPE ( CHAIN-IB (P POSET)) 

(LAMBDA ((S (HOH-EMPTY-SUBSET-OF (U-SET P)))) 
(IS (RESTRICT-ORDER P S) 
TOTALLY-ORDERED-SET) ) ) 



(LEMMA 

(FORALL ((P POSET) 

(X (IH-U-SET P))) 
(IS (KAKE-SET X) 

(CHAIH-IH P)))) 



(IH-COHTEXT ((LET-BE P POSET) 

(LET-BE X (IH-U-SET P)) 
(LET-BE S (MAKE-SET X)) 
(PUSH-GOAL (IS S (CHAIH-IH P)))) 
(LET-BE ((RCHAIH (RESTRICT-ORDER P S)) 

(LET-BE REL (GET-RELATION RCHAIH))) 
(NOTE-GOAL))) 



(LEMMA 

(FORALL ((PI POSET) 

(C (CHAIH-IH Pi)) 
(X (MEMBER-OF O) 
(Y (MEMBER-OF C))) 
(OR (IS X 

(LESS-OR-EqUAL-TO Y PI)) 
(IS Y 

(LESS-OR-EQUAL-TO X PI))))) 



(IN-CONTEXT ((LET-BE PI POSET) 

(LET-BE C (CHAIN-IN PI)) 
(LET-BE P2 (RESTRICT-ORDER PI O) 
(LET-BE X (MEMBER-OF O) 
(LET-BE Y (MEMBER-OF C))) 
(NOTE (OR (IS X (LESS-OR-EQUAL-TO Y PI)) 

(IS Y (LESS-OR-EQUAL-TO X PI))))) 



/*"*s 



A.5. PARTIAL ORDERS AND ZORN'S LEMMA 303 



(DEFTYPE IHDUCTIVE-ORDER 
(LAMBDA ((R POSET)) 

(FORALL ((S (CHAIH-IN R))> 

(EXISTS-SOME (UPPER-BOUND-OF S R))))) 

;We take Zorn's Lemma as an axiom 
(AXIOM 

(FORALL ((R IHDUCTIVE-ORDER) 
(X (IN-U-SET R») 
(EXISTS-SOME 

(AHD-TYPE (MAXIHAL-ELEMEHT-OF R) 

(GREATER-OR-EQUAL-TO X R))))) 
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A. 6 Lattices 



A lattice is a poset in which every pair of elements has both a least upper 
bound and a greatest lower bound. The greatest lower bound and least upper 
bound of two elements are called the meet and join respectively. A complete 
lattice is a poset in which every subset of the underlying set has a least upper 
bound. We prove that in a complete lattice every subset also has a greatest 
lower bound. 

The inclusion order on a family of sets F is a poset whose underlying 
set is the family F and where x is less than or equal to y just in case x is 
a subset of y. For any set s the inclusion order on the power set of s is a 
complete lattice such that for any subset F of the power set of s the least 
upper bound and greatest lower bound of F are resectively the union and 
intersection over F. The poset which is the inclusion order on the power set 
of s is called a power set lattice. 

The meet and join functions are monotone in each argument, i.e. increas- 
ing an argument never decreases the meet or join. The meet of x and the 
meet of y and z is the greatest lower bound of the set x, y, z and thus the 
meet function is associative. The join function is similarly associative. 
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(DEFTYPE LATTICE 
(LAMBDA ((W POSED) 

(FDRALL ((X (IH-U-SET V)) 
(Y (IN-U-SET W))) 
(AHD 

(EXISTS-SOHE 

(LEAST-UPPER-BOUHD-OF (HAKE-SET X Y) ¥) ) 
(EXISTS-SOHE 

(GREATEST-LOtfER-BOUHD-OF (MAKE-SET X Y) W)))))) 

(DEFTERH (JOIH (X (IH-U-SET D) 
(Y (IH-U-SET D) 
(L LATTICE)) 
(THE (LEAST-UPPER-BOUHD-OF (HAKE-SET X Y) L) ) ) 

(DEFTERH (HEET (X (IH-U-SETL)) 
(Y (IH-U-SET D) 
(L LATTICE)) 
(THE (GREATEST-LOWER-BOUHD-OF (HAKE-SET X Y) L))) 

(DEFTYPE COHPLETE-LATTICE 
(LAMBDA ((W POSET)) 

(FORALL ((S (SUBSET-OF (U-SET W)))) 

(EXISTS-SOHE (LEAST-UPPER-BOUHD-OF S W))))) 

(LEMMA (EXISTS-SOHE COHPLETE-LATTICE)) (IH-COHTEXT 

((PUSH-GOAL (EXISTS-SOHE COMPLETE-LATTICE)) 
jmm*. (LET-BE S SIHGLETOH-SET) 

• (LET-BE R (THE-EMPTY-RELATIOH-OH S)) 

(LET-BE W (MAKE-RELATIOH-STRUCTURE R S)) 
(LET-BE S2 (SUBSET-OF (U-SET V)))) 
(IH-COHTEXT 

((PUSH-GOAL 

(EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF S2 W)))) 
(IH-COHTEXT 

((SUPPOSE (EXISTS-SOHE (MEHBER-OF S2))) 
(LET-BE X (HEMBER-OF S2)) 
(LET-BE Y (UPPER-BOUHD-OF S2 W))) 
(HOTE-GOAD) 
(IH-COHTEXT 
((SUPPOSE 

(HOT (EXISTS-SOME (MEHBER-OF S2)))) 
(LET-BE X (MEMBER-OF S)) 
(LET-BE Y (UPPER-BOUHD-OF S2 H))) 
(HOTE-GOAD) 
(HOTE-GOAD) 
(HOTE-GOAD) 
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(LEMMA 

(FORALL ((W COMPLETE-LATTICE) 

(S (SUBSET-OF (U-SET V)))) 
(EXISTS-SOME 

(GREATEST-LOWER-BOUHD-OF S 10))) 



/"""S 



(IH-COHTEXT 

((LET-BE W COMPLETE-LATTICE) 
(LET-BE S (SUBSET-OF (U-SET V) ) ) 
(PUSH-GOAL 
(EXISTS-SOME 
(GREATEST-LOWER-BOUHD-OF S W)))) 

(IH-COHTEXT 

((LET-BE S2 

(THE-SET-OF-ALL (LOWER-BOUHD-OF SI))) 
(LET-BE X 

(THE (LEAST-UPPER-BOOTD-OF S2 W)))) 

(IH-COHTEXT 

((PUSH-GOAL (IS X (LOWER-BOOTD-OF S H)))) 
(IH-COHTEXT ((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S))) 
(LET-BE Y (HEMBER-OF S))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS Y (UPPER-BOUHD-OF S2 W)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF S2))) 
(LET-BE Z (MEMBER-OF S2))) 
(HOTE-GOAL)) 
(HOTE-GOAL))) 
(HOTE-GOAL)) 

(HOTE-GOAL))) 



(LEMMA 

(FORALL ((W COMPLETE-LATTICE)) 
(IS H LATTICE))) 



(IH-COHTEXT ((LET-BE W COMPLETE-LATTICE) 
(PUSH-GOAL (IS W LATTICE))) 
(IH-COHTEXT ((LET-BE X (IH-U-SET W)) 
(LET-BE Y (IH-U-SET W)) 
(LET-BE SXY (MAKE-SET X Y))) 
(HOTE-GOAL))) 



(DEFTERM (IHCLUSIOH-ORDER (F FAMILY-OF-SETS)) 
(MAKE-RELATIOH-STRUCTURE 

(THE-RULE ((S (MEMBER-OF F))) 
(THE-SET-OF-ALL 

(AHD-TYPE (MEMBER-OF F) 

(PROPER-SUPERSET-OF S ) ) ) ) 
F)) 
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(LEMMA (IB-COBTEXT 

(FORALL ((F FAHILY-OF-SETS)) ((LET-BE F FAMILY-OF-SETS) 

(IS (THE-RULE ((S (BEHBER-OF F)) ) (LET-BE R 

(THE-SET-OF-ALL (THE-ROLE ((S (MEHBER-OF F))) 

(AMD-TYPE (THE-SET-OF-ALL 

(HEHBER-OF F) (AHD-TYPE (HEMBER-OF F) 

(PROPER-SUPERSET-OF S)))) (PROPER-SUPERSET-OF S)))))) 

(RELATIOH-OB F)))) 

(IB-COBTEXT 

(LEHHA ((PUSH-GOAL (IS R (RELATIOB-OB F))) 

(FORALL ((F FAHILY-OF-SETS)) (LET-BE S (MEHBER-OF F)) 

(IS (INCLUSION-ORDER F) POSET))) (LET-BE F2 (APPLY-RULE R S))) 

(IB-CONTEXT 

((PUSH-GOAL (IS F2 (SUBSET-OF F)))) 
(IN-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (MEHBER-OF F2))) 
(LET-BE S2 (MEHBER-OF F2))) 
(NOTE-GOAL)) 
(BOTE-GOAD) 
(BOTE-GOAL)) 

(IB-COBTEXT 

((PUSH-GOAL 

(IS (IBCLUSIOB-ORDER F) POSET))) 
(IB-CONTEXT 

((PUSH-GOAL 
/"*^ (IS R (PARTIAL-ORDER-OH F))) 

(LET-BE SI (HEMBER-OF F))) 
(IB-COBTEXT 

((PUSH-GOAL 

(FORALL ((S2 (RELATED-TO Si R))) 
(IS-EVERY (RELATED-TO S2 R) 

(RELATED-TO SI R))))) 
(IN-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE (RELATED-TO SI R))) 
(LET-BE S2 (RELATED-TO SI R))) 
(IB-COBTEXT 

((PUSH-GOAL 

(IS-EVERY (RELATED-TO S2 R) 

(RELATED-TO SI R)))) 
(IB-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(RELATED-TO S2 R))) 
(LET-BE S3 (RELATED-TO S2 R))) 
(BOTE (IS S3 (HOT-EQUAL-TO SI))) 
(BOTE-GOAL)) 
(NOTE-GOAL)) 
(BOTE-GOAL)) 
(BOTE-GOAL)) 
(BOTE-GOAL)) 
(IB-COBTEXT 

((LET-BE V (IBCLUSIOB-ORDER F))) 
(BOTE-GOAL)))) 
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(LEMMA (FORALL <(F FAHILY-OF-SETS)) 
(= (U-SET 

(IHCLUSIOH-ORDER F)) 
F))) 

(LEMMA 

(FORALL ((F FAHILY-OF-SETS) 
(S2 (MEMBER-OF F)) 
(SI (MEMBER-OF F))) 
(IFF 
(IS SI 

(LESS-OR-EQUAL-TO 
S2 

(IHCLUSIOH-ORDER F))) 
(IS SI 

(SUBSET-OF S2))))) 



(IH-COHTEXT 

((LET -BE F FAMILY-OF-SETS) 
(LET-BE R 

(THE-RULE ((S (MEMBER-OF F))) 
(THE-SET-OF-ALL 

(AHD-TYPE (MEMBER-OF F) 

(PROPER-SUPERSET-OF S))))) 
(LET-BE W (IBCLUSIOB-ORDER F))) 

(BOTE (= (U-SET W) F)) 

(IB-COHTEXT 

((LET-BE SI (MEMBER-OF F) ) 
(LET-BE S2 (MEMBER-OF F)) 
(PUSH-GOAL 

(IFF (IS SI (LESS-OR-EQUAL-TO S2 W)) 
(IS SI (SUBSET-OF S2))))) 

(IH-COHTEXT 
((SUPPOSE 

(IS SI (LESS-OR-EQUAL-TO S2 W)))) 
(IH-CONTEXT ((SUPPOSE (= SI S2))) 

(BOTE-GOAD) 
(HOTE-GOAD) 

(IH-COHTEXT ((SUPPOSE (IS SI (SUBSET-OF S2)))) 
(IH-COBTEXT ((SUPPOSE (= SI S2) ) ) 
(HOTE-GOAL)) 

(HOTE-GOAD) 



(BOTE-GOAD) ) 

(DEFTERM (POWER-SET-LATTICE (S HOH-EMPTY-SET) ) 
(IHCLUSIOH-ORDER (POWER-SET S))) 

(DEFTYPE POWER-LATTICE 

(WRITABLE-AS (POWER-SET-LATTICE S) 
(S HOH-EMPTY-SET))) 
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(LEHMA 

(FORALL ((B POWER-LATTICE)) 
(IS B POSET))) 

(LEHHA 

(FORALL ((B POWER-LATTICE)) 
(IS (U-SET B) 

FAHILY-OF-SETS))) 

(LEHMA 
(FORALL 

((B POWER-LATTICE) 
(S NON-EMPTY-SET 

(= B (POWER-SET-LATTICE S)))) 
(= S 

(FAMILY-UNION 
(U-SET B))))) 

(LEMMA 

(FORALL ((B POWER-LATTICE)) 
(IS (FAMILY-UNION (U-SET B)) 
NON-EMPTY-SET))) 

(LEMMA 

(FORALL ((B POWER-LATTICE)) 
(= (U-SET B) 
(POWER-SET 

(FAMILY-UNION 
(U-SET B)))))) 



(IN-CONTEXT 

((LET-BE B POWER-LATTICE) 
(WRITE-AS B (POWER-SET-LATTICE S) 

(S NON-EMPTY-SET)) 
(LET-BE P (U-SET B)) 
(LET-BE P2 (POWER-SET S))) 
(NOTE (IS B POSET)) 

(NOTE (IS (U-SET B) FAMILY-OF-SETS)) 
(NOTE (= S (FAMILY-UNION (U-SET B)))) 
(NOTE (IS (FAMILY-UNION (U-SET B)) 

NON-EMPTY-SET)) 
(NOTE 

(= (U-SET B) 
(POWER-SET 

(FAMILY-UNION (U-SET B)))))) 



(LEMMA 

(FORALL ((B POWER-LATTICE) 
(S2 (IN-U-SET B))) 
(IS S2 SET))) 

(LEMMA 

(FORALL ((B POWER-LATTICE) 
(S2 (IN-U-SET B))) 
(IS S2 

(SUBSET-OF 

(FAMILY-UNION 
(U-SET B)))))) 



(IN-CONTEXT 

((LET-BE B POWER-LATTICE) 
(WRITE-AS B (POWER-SET-LATTICE S) 

(S NON-EMPTY-SET)) 
(LET-BE P (U-SET B)) 
(LET-BE S2 (IN-U-SET B))) 
(NOTE (IS S2 SET)) 
(NOTE 
(IS S2 

(SUBSET-OF 

(FAMILY-UNION (U-SET B)))))) 
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(LEMMA 

(FORALL ((B POWER-LATTICE) 
(S2 (SUBSET-OF 

(FAMILY-UNION 
(U-SET B))))) 
(IS S2 (IN-U-SET B)))) 

(LEMMA 
(FORALL 

((B POWER-LATTICE) 
(S2 (IN-U-SET B)) 
(S3 (LESS-OR-EQUAL-TO S2 B))) 
(IS S3 (SUBSET-OF S2)))) 

(LEMMA 

(FORALL ((B POWER-LATTICE) 
(S2 (IN-U-SET B)) 
(S3 (SUBSET-OF S2))) 
(IS S3 

(LESS-OR-EQUAL-TO S2 B)))) 

(LEMMA 

(FORALL ((B POWER-LATTICE) 

(F (NON-EMPTY-SUBSET-OF 
(U-SET B)))) 
(IS F FAMILY-OF-SETS))) 



(IN-CONTEXT 

((LET-BE B POWER-LATTICE) 
(WRITE-AS B (POWER-SET-LATTICE S) 

(S NON-EMPTY-SET)) 
(LET-BE P (U-SET B))) 

(IN-CONTEXT 

((LET-BE S2 

(SUBSET-OF 

(FAMILY-UNION (U-SET B))))) 
(NOTE (IS S2 (IN-U-SET B)))) 

(IN-CONTEXT ((LET-BE S2 (IN-U-SET B))) 
(IN-CONTEXT 

((LET-BE S3 (LESS-OR-EQUAL-TO S2 B))) 
(NOTE (IS S3 (SUBSET-OF S2)))) 
(IN-CONTEXT ((LET -BE S3 (SUBSET-OF S2))) 
(NOTE (IS S3 (LESS-OR-EQUAL-TO S2 B))))) 

(IN-CONTEXT 

((LET-BE F (NON-EMPTY-SUBSET-OF (U-SET B))) 
(PUSH-GOAL (IS F FAMILY-OF-SETS))) 
(IN-CONTEXT ((LET-BE S (MEMBER-OF F))) 
(NOTE-GOAL)))) 
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(LEMMA 

(FORALL ((B POWER-LATTICE) 

(F (NON-EMPTY-SUBSET-OF 
(U-SET B)))) 
(IS (FAMILY-UNION F) 

(LEAST-UPPER-BOUND-OFF B)))) 



(IN-CONTEXT 

((LET-BE B POWER-LATTICE) 
(LET-BE F (NON-EMPTY-SUBSET-OF (U-SET B))) 
(LET-BE LUB (FAMILY-UNION F)) 
(PUSH-GOAL 

(IS LUB (LEAST-UPPER-BOUND-OF F B)))) 
(IN-CONTEXT 

((PUSH-GOAL (IS LUB (IN-U-SET B))) 
(LET-BE S (FAMILY-UNION (U-SET B)))) 
(NOTE-GOAL)) 
(IN-CONTEXT 

((PUSH-GOAL 

(IS LUB (UPPER-BOUND-OF F B))) 
(LET-BE S (HEMBER-OF F))) 
(NOTE-GOAL)) 
(IN-CONTEXT 

( (LET-BE S (UPPER-BOUND-OF F B) ) ) 
(IN-CONTEXT 

((PUSH-GOAL 

(IS-EVERY (MEMBER-OF F) 

(SUBSET-OF S))) 
(LET-BE S2 (MEMBER-OF F))) 
(NOTE-GOAL)) 
(NOTE-GOAL))) 
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(LEHHA (IB-CONTEXT 

(FORALL ((B POWER-LATTICE) ((LET-BE B POWER-LATTICE) 

(F (NON-EHPTY-SUBSET-OF (LET-BE F (NON-EKPTY-SUBSET-OF (U-SET B))) 

(U-SET B)))) (LET-BE GLB (FAHILY-IBTERSECTIOB F)) 

(IS (FAMILY-IBTERSECTIOH F) (PUSH-GOAL 

(GREATEST-LOWER-BOUHD-OF F B)))) (IS GLB 

(GREATEST-LOWER-BOUND-OF F B)))) 
(IK-COHTEXT 

((PUSH-GOAL (IS GLB (IH-U-SET B))) 
(LET-BE S (FAMILY -UHIOI (U-SET B))) 
(LET-BE S2 (HEHBER-OF F))) 
(BOTE-GOAD) 
(IH-COHTEXT 

((PUSH-GOAL (IS GLB (LOWER-BOUHD-OF F B))) 
(LET- BE S (MEHBER-OF F))) 
(NOTE-GOAL)) 
(IH-CONTEXT 

((LET-BE S (LOWER-BOUHD-OF F B))) 
(IN-COHTEXT 

((PUSH-GOAL 

(IS-EVERY (MEMBER-OF F) 

(SUPERSET-OF S))) 
(LET-BE S2 (HEHBER-OF F) ) ) 
(BOTE-GOAD) 
(NOTE-GOAL))) 
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(LEMMA 

(FORALL ((B POWER-LATTICE)) 
(IS B COHPLETE-LATTICE))) 
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(IH-COHTEXT 

((LET-BE B POWER-LATTICE) 
(PUSH-GOAL (IS B COMPLETE-LATTICE))) 
(IH-COHTEXT 

((LET-BE F (SUBSET-OF (U-SET B)))) 
(IH-COHTEXT 

((PUSH-GOAL 

(EXISTS-SOME 

(LEAST-UPPER-BOUHD-OF F B)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (MEMBER-OF F) ) ) ) 
(IH-COHTEXT 

((LET -BE S (U-SET B))) 
(BOTE+GENERALIZE 
(IS F 

(HOH-EMPTY-SUBSET-OF 
(U-SET B))))) 
(BOTE -GOAL)) 
(IH-COHTEXT 
((SUPPOSE 

(HOT (EXISTS-SOME (MEMBER-OF F)))) 
(LET-BE ESET THE-EHPTY-SET) ) 
(IH-COHTEXT 

((PUSH-GOAL (IS ESET (IH-U-SET B))) 
(LET-BE S (FAMILY-UHIOH (U-SET B)))) 
(HOTE-GOAL)) 
(IH-COHTEXT 

((LET-BE S (UPPER-BOUHD-OF F B))) 
(HOTE-GOAL))) 
(HOTE-GOAL)) 
(HOTE-GOAL))) 
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(LEHHA 

(FORALL ((B POWER-LATTICE) 
(SI (IH-U-SET B)) 
(S2 (IH-U-SET B))) 
(= (JOIH SI S2 B) 
(UNIOH SI S2)))) 

(LEHBA 

(FORALL ((B POWER-LATTICE) 
(SI (IH-U-SET B)) 
(S2 (IH-U-SET B))) 
(= (MEET SI S2 B) 

(IHTERSECTIOH SI S2)))) 
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(IH-COHTEXT ((LET-BE B POWER-LATTICE) 
(LET-BE SI (IH-U-SET B)) 
(LET-BE S2 (IH-U-SET B))) 

(IH-COHTEXT 

( (PUSH-GOAL 

(= (JOIH SI S2 B) 
(UHIOH SI S2)))) 
(IH-COHTEXT 

((LET-BE S3 (MAKE-SET SI S2))) 
(BOTE 

(EXACTLY-OHE 

(LEAST-UPPER-BOUHD-OF S3 B))) 
(BOTE 

(IS (UHIOH SI S2) 

(LEAST-UPPER-BOUHD-OF S3 B)))) 
(IH-COHTEXT 

((LET-BE J (JOIH SI S2 B)) 
(LET-BE U (UHIOH SI S2))) 
(HOTE-GOAL))) 

(IH-COHTEXT 

((PUSH-GOAL 

(= (MEET SI S2 B) 

(IHTERSECTIOH SI S2)))) 
(IH-COHTEXT 

((LET-BE S3 (MAKE-SET SI S2))) 
(BOTE 

(EXACTLY-OHE 

(GREATEST-LOWER-BOUHD-OF S3 B))) 
(HOTE 

(IS (IHTERSECTIOH SI S2) 

(GREATEST-LOWER-BOUBD-OF S3 B)))) 
(IH-COHTEXT 

((LET-BE J (MEET SI S2 B)) 
(LET-BE U (IHTERSECTIOH SI S2))) 
(HOTE-GOAL)))) 
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(LEMHA 

(FORALL ((L LATTICE) 

(X (IB-U-SET D) 
(Y (IH-U-SET L))) 
(IS (MEET ML) 

(LESS-OR-EQUAL-TO X D))) 
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(FORALL ((L LATTICE) 


(X (IN-U-SET D) 


(Y (IB-U-SET L))) 


(IS (JOIB X Y L) 


(GREATER-OR-EQUAL-TO X L)))) 


(LEHHA 


(FORALL ((L LATTICE) 


(X (IH-U-SET D) 


(Y (IB-U-SET L))) 


(IS-EVERY 


(ABD-TYPE 


(LESS-OR-EQUAL-TO X L) 


(LESS-OR-EQUAL-TO Y D) 


(LESS-OR-EQUAL-TO 


(HEET X Y L) 


L)))) 


(LEMHA 


(FORALL ((L LATTICE) 



(X (IH-U-SET D) 
(Y (IH-U-SET L))) 
(IS-EVERY 
(ABD-TYPE 

(GREATER-OR-EQUAL-TO X L) 
(GREATER-OR-EQUAL-TO Y D) 
(GREATER-OR-EQUAL-TO 
(JOIB X Y L) 
L)))) 



(IH-COBTEXT 

((LET-BE L LATTICE) 
(LET-BE X (IB-U-SET D) 
(LET-BE Y (IB-U-SET D) 
(LET-BE S (HAKE-SET X Y))) 

(IB-COBTEXT 

((PUSH-GOAL 

(IS (HEET X Y L) 

(LESS-OR-EQUAL-TO XL))) 
(LET-BE H (HEET X Y L) ) ) 
(BOTE-GOAD) 

(IB-COBTEXT 

((PUSH-GOAL 

(IS (JOIB X Y L) 

(GREATER-OR-EQUAL-TO XL))) 
(LET-BE J (JOIB X Y L))) 
(NOTE-GOAL)) 

(IH-COHTEXT 

((PUSH-GOAL 
(IS-EVERY 

(AHD-TYPE 

(LESS-OR-EQUAL-TO X L) 
(LESS-OR-EQUAL-TO Y D) 
(LESS-OR-EQUAL-TO (HEET X Y L) L)))) 
(IH-COBTEXT 
((SUPPOSE 

(EXISTS-SOHE 
(AHD-TYPE 

(LESS-OR-EQUAL-TO X L) 
(LESS-OR-EqUAL-TO Y L)))) 
(LET-BE Z 
(AHD-TYPE (LESS-OR-EQUAL-TO X L) 

(LESS-OR-EqUAL-TO YD)) 
(LET-BE H (HEET X Y L))) 
(BOTE-GOAD) 
(BOTE-GOAD) 

(IH-COHTEXT 

((PUSH-GOAL 
(IS-EVERY 
(AHD-TYPE 

(GREATER-OR-EQUAL-TO X D 
(GREATER-OR-EQUAL-TO Y D) 
(GREATER-OR-EQUAL-TO (JOIB X Y D D))) 
(IB-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(AHD-TYPE (GREATER-OR-EQUAL-TO X D 

(GREATER-OR-EQUAL-TO Y D))) 
(LET-BE Z (ABD-TYPE 

(GREATER-OR-EQUAL-TO X D 
(GREATER-OR-EQUAL-TO YD)) 
(LET-BE J (JOIH X Y D)) 
(HOTE-GOAD) 
(HOTE-GOAD)) 
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(LEHMA 

(FORALL ((L LATTICE) 

(Y (IH-U-SET D) 
(X (IH-U-SET L))) 
(IFF (IS X 

(LESS-OR-EQUAL-TO Y D) 
(= (MEET X Y L) 
X)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(Y (IH-U-SET D) 
(X (IH-U-SET L))) 
(IFF (IS X 

(GREATER-OR-EQUAL-TO YD) 
(= (JOIH X Y L) 
X)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(Y (IH-U-SET L))) 
(= (JOIH (MEET X Y L) 
Y 
L) 
Y))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(Y (IH-U-SET L))) 
(= (MEET (JOIH X Y L) 
Y 
L) 
Y))) 



(IH-COHTEXT ((LET-BE L LATTICE) 

(LET-BE X (IH-U-SET D) 
(LET-BE Y (IH-U-SET L))) 
(IH-CONTEXT 

((PUSH-GOAL 

(IFF (IS X (LESS-OR-EQUAL-TO Y D) 
(= (MEET X Y L) X)))) 

;the ony-if case is trivial 
(IH-COHTEXT ((SUPPOSE (= (MEET X Y L) X))) 
(HOTE-GOAL)) 

(IH-COHTEXT 
((SUPPOSE 

(IS X (LESS-OR-EQUAL-TO Y L)))) 
;in this case it is obvious that x 
;is a lower bound, thus we only need 
;to show that x is the greatest lower 
; bound 
(IH-COHTEXT 

((LET-BE Z 

(UPPER-BOUHD-OF (MAKE-SET X Y) D) 
(LET-BE S (MAKE-SET X Y))) 
(HOTE-GOAL))) 

(HOTE-GOAL)) 

(IH-COHTEXT 

((PUSH-GOAL 

(IFF (IS X (GREATER-OR-EQUAL-TO Y D) 
(= (JOIH X Y L) X)))) 

(IH-COHTEXT ((SUPPOSE (= (JOIH X Y L) X))) 
(HOTE-GOAL)) 

(IH-COHTEXT 
((SUPPOSE 

(IS X (GREATER-OR-EQUAL-TO Y L)))) 
(IH-COHTEXT 

((LET -BE Z 

(UPPER-BDUHD-OF (MAKE-SET X Y) D) 
(LET-BE S (MAKE-SET X Y))) 
(HOTE-GOAL))) 
(HOTE-GOAL)) 

(IH-COHTEXT 

((PUSH-GOAL (= (JOIH (MEET X Y L) Y L) 
Y)) 
(LET-BE M (MEET X Y L))) 
(HOTE-GOAL)) 

(IH-COHTEXT 

((PUSH-GOAL (= (MEET (JOIH X Y L) Y L) 
Y)) 

(LET-BE J (JOIH Ml))) 
(HOTE-GOAL))) 
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(LEHHA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(X2 (LESS-OR-EQUAL-TO X L)) 
(Y (IH-U-SET L))) 
(IS (MEET X2 Y L) 

(LESS-OR-EQUAL-TO (MEET X Y L) 
L)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(X2 (LESS-OR-EqUAL-TO X D) 
(Y (IB-U-SET L))) 
(IS (JOIN X Y L) 

(GREATER-OR-EQUAL-TO 
(JOIH X2 Y L) 
L)))) 



(IN-COHTEXT 

((LET-BE L LATTICE) 
(LET -BE X (IH-U-SET D) 
(LET-BE Y (IH-U-SET L) ) 
(LET-BE X2 (LESS-OR-EQUAL-TO XL))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS (MEET X2 Y L) 

(LESS-OR-EQUAL-TO (MEET X Y L) L)))) 
(IH-COHTEXT ((LET-BE H (MEET X2 Y L))) 
(NOTE-GOAL))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS (JOIH X Y L) 

(GREATER-OR-EQUAL-TO 
(JOIH X2 Y L) 
L)))) 
(IH-COHTEXT ((LET-BE J (JOIH X Y L))) 
(HOTE-GOAL)))) 



f\ 



(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET L)> 
(Y (IH-U-SET D) 
(Z (IH-U-SET L))) 
(= (MEET Z (MEET X Y L) L) 
(THE 

(GREATEST-LOHER-BOUND-OF 
(MAKE-SET X Y Z) 
L))))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(Y (IN-U-SET D) 
(Z (IH-U-SET L))) 
(= (JOIH Z (JOIH X Y L) L) 
(THE 

(LEAST-UPPER-BOUHD-OF 
(MAKE-SET X Y Z) 
L))))) 



(IH-COHTEXT 

((LET-BE L LATTICE) 
(LET-BE X (IH-U-SET D) 
(LET-BE Y (IH-U-SET D) 
(LET-BE Z (IH-U-SET D) 
(LET-BE SXY (MAKE-SET X Y)) 
(LET-BE SXYZ (MAKE-SET X Y Z))) 
;meet is associative 
(IH-COHTEXT 

((LET-BE HXY (MEET X Y D) 
(LET-BE MXYZ (MEET Z MXY D) 
(PUSH-GOAL 
(= MXYZ 
(THE 

(GREATEST-LOVER-BOUHD-OF SXYZ L))))) 
;it is already a lower bound so we must show 
;that it is the greatest 
(IH-COHTEXT 

((LET-BE LBOUHD (LOWER-BOUND-OF SXYZ L))) 
(HOTE-GOAL))) 
;join is associative 
(IH-COHTEXT 

((LET-BE JXY (JOIN X Y D) 
(LET-BE JXYZ (JOIH Z JXY D) 
(PUSH-GOAL 
(= JXYZ 
(THE 

(LEAST-UPPER-BOUHD-OF SXYZ L))))) 
(IH-COHTEXT 

((LET-BE UBOUHD (UPPER-BOUHD-OF SXYZ L))) 
(HOTE-GOAL)))) 



/""\ 
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(LEMMA 

(FORALL ((L LATTICE) 

(Y (IN-U-SET D) 
(X (IN-U-SET L))) 
(= (HEET X Y L) 
(MEET Y X L)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(Y (IH-U-SET D) 
(X (IH-U-SET L))) 
(= (JOIH X Y L) 
(JOIN Y X L)))) 

(LEMMA 
(FORALL ((L LATTICE) 

(Z (IH-U-SET D) 
(X (IH-U-SET D) 
(Y (IH-U-SET L))) 
(= (MEET (MEET X Y L) Z L) 
(MEET Z (MEET X Y L) L)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(Z (IH-U-SET D) 
(X (IH-U-SET D) 
(Y (IH-U-SET L))) 
(= (JOIH (JOIH X Y L) Z L) 
(JOIH Z (JOIH X Y L) L)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IH-U-SET D) 
(Y (IN-U-SET D) 
(Z (IH-U-SET L))) 
(= (MEET X (MEET Y Z L) L) 
(MEET (MEET X Y L) Z L)))) 

(LEMMA 

(FORALL ((L LATTICE) 

(X (IN-U-SET D) 
(Y (IN-U-SET D) 
(Z (IH-U-SET L))) 
(= (JOIH X (JOIN Y Z L) L) 
(JOIH (JOIN X Y L) Z L)))) 



(IH-CONTEXT ((LET -BEL LATTICE) 




(LET-BE X (IH-U-SET D) 




(LET-BE Y (IN-U-SET L))) 


(NOTE 


(= (MEET X Y L) 




(MEET Y X L))) 


(BOTE 


(= (JOIN X Y L) 




(JOIN Y X L))) 


(IN-CONTEXT ((LET -BE Z (IN-U-SET L))) 



(IH-COHTEXT ((LET-BE MXY (MEET X YD)) 
(HOTE (= (MEET MXY Z L) 

(MEET Z MXY L)))) 
(IH-COHTEXT ((LET-BE JXY (JOIN X Y L))) 
(HOTE (= (JOIH JXY Z L) 

(JOIH Z JXY L)))) 
(HOTE (= (MEET X (MEET Y Z L) L) 

(MEET (MEET X Y L) Z L))) 
(HOTE (= (JOIN X (JOIH Y Z L) L) 

(JOIN (JOIN X Y L) Z L))))) 



fs 
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A. 7 Bounded, Distributive and Complemented 
Lattices 



A bounded lattice is a lattice with a greatest and a least member where 
the greatest member is distinct from the least member (singleton lattices are 
ruled out). If L is a bounded lattice and x and y are elements of L we say- 
that x and y are complements if their meet is the least member of L and 
there join is the greatest member of L. A complemented lattice is a bounded 
lattice in which every element has at least one complement. 

A distributive lattice is lattice in which meet distributes over join and 
vice versa. In a bounded distributive lattice every element has at most one 
complement. A Boolean lattice is a complemented distributive lattice. We 
prove deMorgan's laws for Boolean lattices and establish several distinct 
characterizations of the lattice order relation. 

We also show that every power set lattice is a Boolean lattice. 

(DEFTYPE BOUBDED-LATTICE 
(LAMBDA (<L LATTICE)) 
(AND 

(EXISTS-SOME 

(GREATEST-MEMBER-OF (U-SET L) D) 
(EXISTS-SOME 

(LEAST-MEMBER-OF (U-SET L) L) ) 
(HOT 

(= (THE (GREATEST-MEKBER-OF (U-SET L) L>) 
(THE (LEAST-MEMBER-OF (U-SET L) L))))))) 

(LEMMA (IB-COBTEXT ((LET -BE L LATTICE) 

(FORALL ((L LATTICE)) (LET -BE S (U-SET L))) 

(AT-MOST-OHE (BOTE (AT-MOST-OBE (GREATEST-MEMBER-OF SI))) 

(GREATEST-MEMBER-OF (U-SET L) L)))) (BOTE (AT-MOST-OBE (LEAST-MEMBER-OF S L)))) 

(LEMMA 

(FORALL ((L LATTICE)) 
(AT-MOST-OBE 

(LEAST-MEHBER-OF (U-SET L) L)))) 

(DEFTERM (TOP (L BOUBDED-LATTICE) ) 

(THE (GREATEST-HEMBER-OF (U-SET L) L))) 

(DEFTERM (BOTTOM (L BOUBDED-LATTICE)) 
(THE (LEAST-MEMBER-OF (U-SET L) L))) 



^*"\ 
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APPENDIX A. THE STONE REPRESENTATION THEOREM 



(LEMMA 

(FORALL ((L POWER-LATTICE)) 

(HOT (= (FAMILY-UHIOH (U-SET D) 
THE-EMPTY-SET)))) 

(LEMMA 

(FORALL ((L POWER-LATTICE)) 
(IS L BOUHDED-LATTICE))) 

(LEMMA 

(FORALL ((L POWER-LATTICE)) 
(= (TOP L) 

(FAMILY-UHIOH (U-SET L))))) 

(LEMMA 

(FORALL ((L POWER-LATTICE)) 

(= (BOTTOM L) THE-EMPTY-SET))) 



(IH-COHTEXT 

((LET-BE L POWER-LATTICE) 
(LET-BE F (U-SET D) 
(LET-BE T (FAMILY-UHIOH F)) 
(LET-BE BOT THE-EMPTY-SET) 
(LET-BE X (IH-U-SET L))) 
(HOTE (HOT (= T BOT))) 
(BOTE (IS L BOUHDED-LATTICE)) 
(HOTE (= (TOP L) T)) 
(HOTE (= (BOTTOM L) BOT))) 



/*"*% 
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(LEHHA 

(FORALL ((L BOUHDED-LATTICE)) 
(IS (TOP L) 

(IN-U-SET L)))) 

(LEHMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(IS X 

(LESS-OR-EQUAL-TO (TOP L) 
L)))) 

(LEHMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(= X 

(MEET X (TOP L) L)))) 

(LEMMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(= (TOP L) 

(JOIH X (TOP L) L)))) 

(LEMMA 

(FORALL ((L BOUHDED-LATTICE)) 
(IS (BOTTOM L) 

(IH-U-SET L)))) 

(LEMMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(IS X 

(GREATER- OR-EQUAL-TO 
(BOTTOM L) 
L)))) 

(LEMMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(= X 

(JOIH X (BOTTOM L) L)))) 
(LEMMA 

(FORALL ((L BOUHDED-LATTICE) 
(X (IH-U-SET L))) 
(= (BOTTOM L) 

(MEET X (BOTTOM L) L)))) 



(IH-COHTEXT ((LET-BE L BOUHDED-LATTICE) 
(LET-BE X (IH-U-SET D) 
(LET-BE S (U-SET L))) 

(IH-COHTEXT ((LET-BE T (TOP L))) 
(BOTE (IS T (IH-U-SET L))) 
(BOTE (IS X (LESS-OR-EQUAL-TO T L))) 
(HOTE (= X (MEET X T L))) 
(BOTE (= T (JOIH X T L)))) 

(IH-COHTEXT ((LET-BE F (BOTTOM L))) 
(HOTE (IS F (IH-U-SET L))) 
(HOTE (IS X (GREATER-OR-EQUAL-TO F L))) 
(HOTE (= X (JOIH X F L))) 

(BOTE (= F (MEET X F L))))) 



(DEFTYPE DISTRIBUTIVE-LATTICE 
(LAMBDA ((L LATTICE)) 

(FORALL ((X (IH-U-SET D) 
(Y (IH-U-SET D) 
(Z (IH-U-SET L))) 
(AHD (= (JOIH X (MEET Y Z L) L) 

(MEET (JOIH X Y L) (JOIH I Z I) D) 
(= (MEET X (JOIH Y Z L) L) 

(JOIH (MEET X Y L) (MEET X Z L) L)))))) 



f~S 
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(LEHHA 

(FORALL ((L POWER-LATTICE) 
(SI (IN-U-SET D) 
(S2 (IH-U-SET D) 
(S3 (IN-U-SET L))) 
(= (JOIN SI (HEET S2 S3 L) L) 
(UNION 
SI 
(INTERSECTION S2 S3))))) 

(LEHHA 

(FORALL ((L POWER-LATTICE) 
(S2 (IN-U-SET D) 
(SI (IN-U-SET D) 
(S3 (IN-U-SET L))) 
(= (HEET (JOIN SI S2 L) 
(JOIN SI S3 L) 
L) 
(INTERSECTION 
(UNION SI S2) 
(UNION SI S3))))) 

(LEHMA 

(FORALL ((L POWER-LATTICE) 
(SI (IB-U-SET D) 
(S2 (IN-U-SET D) 
(S3 (IN-U-SET L))) 
(= (HEET SI (JOIN S2 S3 L) L) 
(INTERSECTION SI (UNION S2 
S3))))) 

(LEHHA 

(FORALL ((L POWER-LATTICE) 
(S2 (IN-U-SET D) 
(SI (IN-U-SET D) 
(S3 (IN-U-SET L))) 
(= (JOIN (HEET SI S2 L) 
(HEET SI S3 L) 
L) 
(UNION (INTERSECTION SI S2) 

(INTERSECTION SI S3))))) 

(LEHHA 

(FORALL ((L POWER-LATTICE)) 
(IS L DISTRIBUTIVE-LATTICE))) 



(IN-CONTEXT ((LET-BEL POWER-LATTICE) 
(LET -BE SI (IN-U-SET L) ) 
(LET-BE S2 (IN-U-SET D) 
(LET-BE S3 (IN-U-SET L))) 

(IN-CONTEXT ((LET-BE H23 (HEET S2 S3 L))) 
(NOTE (= (JOIN SI H23 L) 

(UNION SI (INTERSECTION S2 S3))))) 

(IN-CONTEXT ((LET-BE J12 (JOIN SI S2 D) 
(LET-BE J13 (JOIN SI S3 L))) 
(NOTE (= (HEET J12 J13 L) 

(INTERSECTION (UNION SI S2) 

(UNION SI S3))))) 

(IN-CONTEXT ((LET-BE J23 (JOIN S2 S3 L))) 
(NOTE (= (HEET SI J23 L) 

(INTERSECTION SI (UNION S2 S3))))) 

(IN-CONTEXT ((LET-BE H12 (HEET SI S2 D) 
(LET-BE H13 (HEET SI S3 L))) 
(NOTE (= (JOIN H12 H13 L) 

(INTERSECTION (UNION SI S2) 

(UNION SI S3))))) 

(NOTE (IS L DISTRIBUTIVE-LATTICE))) 
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(DEFTYPE (COMPLEMEHT-OF (X (IH-U-SET D) 

(L BOUNDED-LATTICE) ) 
(LAHBDA ((Y (IH-U-SET L))) 
(AND (= (MEET X Y L) 
(BOTTOM D) 
(= (JOIN X Y L) 
(TOP L))))) 

(DEFTYPE COMPLEMENTED-LATTICE 
(LAMBDA ((L BOUNDED-LATTICE)) 
(FORALL ((X (IH-U-SET L))) 
(EXISTS-SOME 

(COMPLEMENT-OF X L))))) 



(LEMMA 

(FORALL ((L POWER-LATTICE) 
(SI (IN-U-SET L))) 
(IS (SET-DIFFERENCE 

(FAMILY-UNION (U-SET D) 
SI) 
(COMPLEMENT-OF SI L)))) 

(LEMMA 

(FORALL ((L POWER-LATTICE)) 
(IS L COMPLEMEHTED-LATTICE) ) ) 



(IN-COHTEXT 

( (LET-BE L POWER-LATTICE) 
(LET -BE UNIVERSE (FAMILY-UNION (U-SET L))) 
(LET -BE SI (IN-U-SET D) 

(LET-BE S2 (SET-DIFFEREHCE UNIVERSE SI))) 
(NOTE (IS S2 (COMPLEMENT-OF SI L))) 
(NOTE (IS L COMPLEMENTED-LATTICE))) 



/""*% 



(LEMMA 

(EXISTS-SOME 

(AHD-TYPE DISTRIBUTIVE-LATTICE 

BOUNDED-LATTICE))) 



(IN-CONTEXT ((LET-BE L POWER-LATTICE)) 
(BOTE 

(EXISTS-SOME 

(AND-TYPE DISTRIBUTIVE-LATTICE 
BOUNDED-LATTICE)))) 



(LEMMA 

(FORALL ((L (AHD-TYPE 

DISTRIBUTIVE-LATTICE 
BOUNDED-LATTICE)) 
(X (IN-U-SET L))) 
(AT-MOST-ONE (COMPLEMEHT-OF X L)))) 



(IN-COHTEXT 

( (LET-BE L (AND-TYPE DISTRIBUTIVE-LATTICE 
BOUHDED-LATTICE)) 
(LET-BE X (IH-U-SET D) 

(PUSH-GOAL (AT-MOST-OHE (COMPLEMEHT-OF X L)))) 
(IN-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (COMPLEMEHT-OF XL))) 
(LET-BE Yi (COMPLEMEHT-OF X D) 
(LET-BE Y2 (COMPLEMEHT-OF XL))) 
(HOTE-GOAD) 
(NOTE-GOAD) 



(DEFTYPE BOOLEAN-LATTICE 

(AND-TYPE DISTRIBUTIVE-LATTICE 
COMPLEMENTED-LATTICE) ) 

(DEFTERM (COMPLEMENT 

(X (IH-U-SET B)) 

(B BOOLEAH-LATTICE)) 

(THE (COMPLEMENT-OF IB))) 
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(LEHHA 

(EXISTS-SOHE BOOLEAN-LATTICE)) 



(IH-COHTEXT ((LET-BEL POWER-LATTICE)) 
(NOTE (EXISTS-SOHE BOOLEAH-LATTICE))) 



(LEMMA 

(FORALL ((B BOOLEAH-LATTICE) 
(X (IH-U-SET B)) 
(Y (IH-U-SET B))) 
(= (COMPLEHEHT (MEET X Y B) B) 
(JOIH (COMPLEMEHT X B) 
(COMPLEMEHT Y B) 
B)))) 

(LEMMA 

(FORALL ((B BOOLEAH-LATTICE) 
(X (IH-U-SET B)) 
(Y (IH-U-SET B))) 
(= (COMPLEMEHT (JOIH X Y B) B) 
(MEET (COMPLEMEHT X B) 
(COMPLEMEHT Y B) 
B)))) 



(IH-COHTEXT 

((LET-BE B BOOLEAH-LATTICE) 
(LET-BE X (IH-U-SET B)) 
(LET-BE Y (IH-U-SET B)) 
(LET-BE CX (COMPLEMEHT X B)) 
(LET-BE CY (COMPLEMEHT Y B))) 

(IH-COHTEXT ((LET-BE M (MEET X Y B)) 

(LET-BE J (JOIH CX CY B))) 
(HOTE (= (COMPLEMEHT M B) J))) 

(IH-COHTEXT ((LET-BE J (JOIH X Y B)) 

(LET-BE M (MEET CX CY B))) 
(HOTE (= (COMPLEMEHT J B) M)))) 



<*\ 



(LEMMA 






(FORALL ((B 


BOOLEAH-LATTICE) 




(X 


(IH-U-SET B)) 




(Y 


(IH-U-SET B))) 


(= 


(MEET X 


Y B) 




(COMPLEMEHT 




(JOIH 


(COMPLEMEHT X B) 
(COMPLEMEHT Y B) 
B) 

B)))) 


(LEMMA 






(FORALL ((B 


BOOLEAH-LATTICE) 




(X 


(IH-U-SET B)) 




(Y 


(IH-U-SET B))) 


( = 


(JOIH X 


Y B) 




(COMPLEMEHT 




(MEET 


(COMPLEMENT X B) 
(COMPLEMEHT Y B) 
B) 




B)))) 





(IH-COHTEXT ((LET-BE B BOOLEAH-LATTICE) 
(LET-BE X (IH-U-SET B)) 
(LET-BE Y (IH-U-SET B))) 
(IH-COHTEXT ((LET-BE M (MEET X Y B)) 

(LET-BE J (JOIH (COMPLEMEHT X B) 
(COMPLEMEHT Y B) 
B))) 
(HOTE (= M (COMPLEMEHT J B)))) 
(IN-COHTEXT ((LET-BE J (JOIN X Y B)) 

(LET-BE M (MEET (COMPLEMENT X B) 
(COMPLEMEHT Y B) 
B))) 
(NOTE (= J (COMPLEMENT M B))))) 



f\ 
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the f ollosing are equivalent : 

(IS X (LESS-OR-EQUAL-TO Y B)) 

(IS (COMPLEMENT Y B) 

(LESS-OR-EQUAL-TO 
(COMPLEHEHT X B) 
B)) 

(= (MEET X (COMPLEMENT Y B) B) 
(BOTTOM B)) 

(= (JOIN (COMPLEHEHT X B) Y B) 
(TOP B)) 

(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 
(X (IN-U-SET B)) 
(Y (IN-U-SET B))) 
(=> (IS X 

(LESS-OR-EQUAL-TO Y B)) 
(IS (COMPLEMENT Y B) 
(LESS-OR-EQUAL-TO 
(COMPLEMENT X B) 
B))))) 

(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 
(X (IH-U-SET B)) 
(Y (IH-U-SET B))) 
(=> (IS (COMPLEMEHT Y B) 
(LESS-OR-EQUAL-TO 
(COMPLEMEHT X B) 
B)) 
(= (MEET X (COMPLEMENT Y B) B) 
(BOTTOM B))))) 

(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 
(X (IN-U-SET B)) 
(Y (IN-U-SET B))) 
(=> (= (MEET X (COMPLEMENT Y B) B) 
(BOTTOM B) ) 
(= (JOIN (COMPLEMENT X B) Y B) 
(TOP B))))) 

(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 
(Y (IN-U-SET B)) 
(X (IN-U-SET B))) 
(=> (= (JOIN (COMPLEMENT X B) Y B) 
(TOP B)) 
(IS X 

(LESS-OR-EQUAL-TO Y B))))) 



(IN-CONTEXT ((LET-BE B BOOLEAN-LATTICE) 
(LET-BE X (IN-U-SET B)) 
(LET-BE Y (IN-U-SET B))) 



(IN-CONTEXT 

((SUPPOSE (IS X 
(PUSH-GOAL (IS 



B))) 



B)) 
B))) 



B) 



(LESS-OR-EQUAL-TO Y 
(COMPLEMENT Y B) 
(LESS-OR-EQUAL-TO 
(COMPLEMENT X B) 
B)))) 
(IN-CONTEXT ((LET -BE CX (COMPLEMENT X 
(LET -BE CY (COMPLEMENT Y 
(NOTE-GOAL))) 

(IN-CONTEXT 

((SUPPOSE (IS (COMPLEMENT Y B) 
(LESS-OR-EQUAL-TO 
(COMPLEMENT X B) 
B))) 
(PUSH-GOAL (= (MEET X (COMPLEMENT Y B) 
(BOTTOM B)))) 
(IN-CONTEXT ((LET-BE CX (COMPLEMENT X B)) 
(LET-BE CY (COMPLEMENT Y B))) 
(NOTE-GOAL))) 

(IN-CONTEXT 

( (SUPPOSE (= (MEET X (COMPLEMENT Y B) B) 
(BOTTOM B))) 
(PUSH-GOAL (= (JOIN (COMPLEMENT X B) Y B) 
(TOP B)))) 
(IN-CONTEXT ((LET-BE CY (COMPLEMENT Y B)) 
(LET-BE J 

(JOIN (COMPLEMENT X B) Y B))) 
(NOTE-GOAL))) 

(IN-CONTEXT 

((SUPPOSE (= (JOIN (COMPLEMENT X B) Y B) 
(TOP B))) 
(PUSH-GOAL (IS X (LESS-OR-EQUAL-TO Y B)))) 
(IN-CONTEXT ((LET-BE CX (COMPLEMENT X B)) 
(LET-BE M (MEET X Y B) ) ) 
(NOTE-GOAL)))) 
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A. 8 Sublattices 



A lattice subset of a Boolean lattice is a subset that is closed under the meet 
and join operations of the lattice. The poset which results from restricting the 
order in L to lattice subset of L is called a lattice subalgebra of L. We prove 
that a lattice subalgebra of L is a lattice with the same lattice operations as 

L. 

A Boolean subset of Boolean lattice is a lattice subset which is also closed 
under taking complements; from deMorgan's laws it is sufficient that the sub- 
set be closed under intersection and complement or union and completement. 
The poset which results from restricting the order of a boolean lattice L to 
a Boolean subset of L is called a Boolean subalgebra of L. We prove that a 
Boolean subalgebra of L is a Boolean lattice with the same Boolean opera- 
tions as L. 

(DEFTYPE (FINITE-MEET-SUBSET-OF (B LATTICE)) 
(LAMBDA ((S (BOH-EMPTY-SUBSET-OF (U-SET B)))) 
(FORALL ((X (MEMBER-OF S))) 
(FORALL ((Y (HEMBER-OF S))) 

(IS (MEET X Y B) (MEMBER-OF S)))))) 

(DEFTYPE (FINITE- J0IB-SOBSET-0F (B LATTICE)) 
(LAMBDA ((S (BOB-EMPTY-SUBSET-OF (U-SET B)))) 
(FORALL ((X (MEMBER-OF S))) 
(FORALL ((Y (MEMBER-OF S))) 

(IS (JOIB X Y B) (MEMBER-OF S)))))) 

(DEFTYPE (LATTICE-SUBSET-OF (L LATTICE)) 
(ABD-TYPE (FIBITE-MEET-SUBSET-OF L) 

(FIBITE-JOIB-SUBSET-OF L))) 

(LEMMA (IB-COHTEXT ((LET-BE L LATTICE) 

(FORALL ((L LATTICE)) (LET-BE S (U-SET D) 

(IS (U-SET L) (PUSH-GOAL 

(LATTICE-SUBSET-OF L)))) (IS S (LATTICE-SUBSET-OF L) )) ) 

(IB-COBTEXT ((LET-BE X (IB-U-SET D) 
(LET-BE Y (IH-U-SET L))) 
(IB-CONTEXT ((LET-BE H (MEET X Y L))) 

(BOTE (IS M (MEMBER-OF S)))) 
(IH-COHTEXT ((LET-BE J (JOIH X Y L))) 

(BOTE (IS J (HEMBER-OF S)))) 
(BOTE-GOAL))) 
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(DEFTYPE (LATTICE-SUBALGEBRA-OF (L LATTICE)) 
(WRITABLE-AS (RESTRICT-ORDER L S) 
(S (LATTICE-SUBSET-OF L) ) ) ) 



(LEMMA 

(FORALL (CL LATTICE)) 
(EXISTS-SOME 

(LATTICE-SUBALGEBRA-OF L)))) 



(IN-COflTEXT ((LET-BE L LATTICE) 

(LET-BE S (U-SET D) 
(LET-BE L2 (RESTRICT-ORDER L S))) 
(BOTE 

(EXISTS-SOME 

(LATTICE-SUBALGEBRA-OF L)))) 



(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI))) 
(IS (U-SET L2) 

(LATTICE-SUBSET-OF LI)))) 



(IH-COHTEXT 

((LET-BE LI LATTICE) 
(LET-BE L2 (LATTICE-SUBALGEBRA-OF Li)) 
(WRITE-AS L2 (RESTRICT-ORDER LI S) 

(S (LATTICE-SUBSET-OF LI)))) 
(BOTE (IS (U-SET L2) (LATTICE-SUBSET-OF LI)))) 
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(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LD) 
(X (IH-U-SET L2))) 
(IS X (IH-U-SET LI)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LD) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(IS (JOIN X Y LI) 

(LEAST-UPPER-BOUHD- DF 
(HAKE-SET X Y) 
L2)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(IS (MEET X Y LI) 

(GREATEST-LOWER-BOUHD-OF 
(MAKE-SET X Y) 
L2)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI))) 
(IS L2 LATTICE))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(= (JOIH X Y LI) 
(JOIH X Y L2)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(= (MEET X Y LI) 
(MEET X Y L2)))) 



(IH-COHTEXT 

((LET-BE LI LATTICE) 
(LET-BE L2 (LATTICE-SUBALGEBRA-OF LD) 
(LET-BE X (IH-U-SET L2)) 
(LET-BE Y (IH-U-SET L2)) 
(HRITE-AS L2 (RESTRICT-ORDER LI S) 

(S (LATTICE-SUBSET-OF LD))) 

(BOTE (IS X (IH-U-SET LD)) 

(IH-CDHTEXT ((LET-BE S (MAKE-SET X Y))) 
(IH-COHTEXT 

((LET-BE J (JOIH X Y LD) 
(PUSH-GOAL 

(IS J (LEAST-UPPER-BOUHD-OF S L2))) 
(LET-BE Z (UPPER-BOUHD-OF S L2))) 
(HOTE-GOAD) 
(IH-COHTEXT 

((LET-BE M (MEET X Y LD) 
(PUSH-GOAL 

(IS M (GREATEST-LOWER-BOUHD-OF S L2))) 
(LET-BE Z (LOWER-BOUID-OF S L2))) 
(HOTE-GOAD) ) 

(BOTE (IS L2 LATTICE)) 

(IH-COHTEXT ((LET-BE J (JOIH X Y LD)) 
(HOTE (= (JOIH X Y LD (JOIH X Y L2)))) 

(IH-COHTEXT ((LET-BE M (MEET X Y LD)) 
(HOTE (= (MEET X Y LI) (MEET X Y L2))))) 
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(LEKHA 
(FORALL 

(0.1 LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LD ) 
(Z (IH-U-SET L2)) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(= (HEET Z (JOIH X Y L2) L2) 
(HEET Z (JOIH X Y LI) LI)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(Z (IH-U-SET L2)) 
(X (IH-U-SET L2)) 
(Y (IH-U-SET L2))) 
(= (JOIH Z (JOIH X Y L2) L2) 
(JOIH Z (JOIH X Y LI) LI)))) 
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(FORALL 




((LI LATTICE) 


(L2 


! (LATTICE-SUBALGEBRA-OF LI)) 


(X 


(IH-U-SET L2)) 


(Z 


(IH-U-SET L2)) 


(Y 


(IH-U-SET L2))) 


(= (BEET (JOIH X Y L2) 




(JOIH Z Y L2) 




L2) 


(MEET (JOIH X Y LI) 




(JOIH Z Y Li) 




LI)))) 



(IH-COHTEXT 

((LET-BE LI LATTICE) 
(LET-BE L2 (LATTICE-SUBALGEBRA-OF LD) 
(LET-BE X (IH-U-SET L2)) 
(LET-BE Y (IH-U-SET L2)) 
(LET-BE Z (IH-U-SET L2)) 
(WRITE-AS L2 (RESTRICT-ORDER LI S) 

(S (LATTICE-SUBSET-OF LD)) 
(LET-BE J (JOIH X Y L2))) 

(HOTE (= (MEET Z (JOIH X Y L2) L2) 

(MEET Z (JOIH X Y LD LI))) 
(HOTE (= (JOIH Z (JOIH X Y L2)- L2) 

(JOIH Z (JOIH X Y LD LD)) 
(IH-COHTEXT ((LET-BE J2 (JOIH Z Y L2))) 
(HOTE (= (MEET (JOIH X Y L2) 
(JOIH Z Y L2) 
L2) 
(MEET (JOIH X Y LD 
(JOIH Z Y LD 
LD)))) 
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(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(Z (IN-U-SET L2)) 
(X (IN-U-SET L2)) 
(Y (IN-U-SET L2))) 
(= (JOIN Z (MEET X Y L2) L2) 
(JOIN Z (MEET X Y LI) LI)))) 

(LEMMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LD) 
(Z (IN-U-SET L2)) 
(X (IN-U-SET L2)) 
(Y (IN-U-SET L2))) 
(= (MEET Z (MEET X Y L2) L2) 
(MEET Z (MEET X Y LI) LI)))) 
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(LEHMA 
(FORALL 

((LI LATTICE) 
(L2 (LATTICE-SUBALGEBRA-OF LI) ) 
(X (IN-U-SET L2)) 
(Z (IN-U-SET L2)) 
(Y (IN-U-SET L2))) 
(= (JOIN (MEET X Y L2) 
(MEET Z Y L2) 
L2) 
(JOIN (MEET X Y LI) 
(MEET Z Y LD 
LD))) 

(LEMMA 
(FORALL ((LI LATTICE)) 
(=> 
(IS LI DISTRIBUTIVE-LATTICE) 
(FORALL 

((L2 (LATTICE-SUBALGEBRA-OF LD)) 
(IS L2 DISTRIBUTIVE-LATTICE))))) 



(IN-CONTEXT 

((LET-BE LI LATTICE) 
(LET-BE L2 (LATTICE-SUBALGEBRA-OF LD) 
(LET-BE X (IN-U-SET L2)) 
(LET-BE Y (IN-U-SET L2)) 
(LET-BE Z (IN-U-SET L2)) 
(WRITE-AS L2 (RESTRICT-ORDER LI S) 

(S (LATTICE-SUBSET-OF LD ) ) ) 

(IN-CONTEXT ((LET-BE M (MEET X Y L2))) 
(NOTE (= (JOIN Z (MEET X Y L2) L2) 

(JOIN Z (MEET X Y LD LD)) 
(NOTE (= (MEET Z (MEET X Y L2) L2) 

(MEET Z (MEET X Y LD LD)) 
(IN-CONTEXT ((LET-BE M2 (MEET Z Y L2))) 
(NOTE (= (JOIN (MEET X Y L2) 
(MEET Z Y L2) 
L2) 
(JOIN (MEET X Y LD 
(MEET Z Y LD 
LD)))) 



(IN-CONTEXT 

((SUPPOSE (IS Li DISTRIBUTIVE-LATTICE))) 
(NOTE (IS L2 DISTRIBUTIVE-LATTICE)))) 



(DEFTYPE (COMPLEMENTED-SUBSET-OF (B BOOLEAN-LATTICE)) 
(LAMBDA ((S (NON-EMPTY-SUBSET-OF (U-SET B)))) 
(FORALL ((X (MEHBER-OF S))) 

(IS (COMPLEMENT X B) (MEMBER-OF S))))) 

(DEFTYPE (BOOLEAN-SUBSET-OF (B BOOLEAN-LATTICE)) 
(AND-TYPE (FINITE-MEET-SUBSET-OF B) 
(FINITE-JOIN-SUBSET-OF B) 
(COMPLEMENTED-SUBSET-OF B))) 
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(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 

(S (SUBSET-DF (U-SET B)))) 
(=> 
(IS S 

(AND-TYPE 

(FIHITE-MEET-SUBSET-OF B) 
(COMPLEMENTED-SUBSET-OF B) ) ) 
(IS S (BOOLEAN-SUBSET-OF B))))) 



(IB-CONTEXT ((LET -BE B BOOLEAN-LATTICE) 

(LET-BE S (SUBSET-DF (U-SET B)))) 
(IN-CONTEXT 
((SUPPOSE 
(IS S 

(AND-TYPE 

(FINITE-HEET-SUBSET-OF B) 
(COMPLEMENTED-SUBSET-OF B) ) ) ) 
(PUSH-GOAL (IS S (BOOLEAN-SUBSET-OF B)))) 
(IN-CONTEXT ((LET-BE X (MEHBER-OF S)) 
(LET-BE Y (MEHBER-OF S))) 
(IN-CONTEXT ((LET-BE CX (COMPLEMENT X B)) 
(LET-BE CY (COMPLEMENT ! B))) 
(NOTE (IS (MEET CX CY B) (MEMBER-OF S)))) 
(IN-CONTEXT ((LET-BE J (JOIN X Y B)) 
(LET-BE M 

(MEET (COMPLEMENT X B) 

(COMPLEMENT Y B) B))> 
(NOTE-GOAL))))) 
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(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 

(S (SUBSET-OF (U-SET B)))) 
(=> 
(IS S 

(AND-TYPE 

(FINITE-JOIH-SUBSET-OF B) 
(CDMPLEMENTED-SUBSET-OF B))) 
(IS S (BOOLEAN-SUBSET-OF B))))) 



(IN-CONTEXT ((LET-BE B BOOLEAN-LATTICE) 

(LET-BE S (SUBSET-OF (U-SET B)))) 
(IN-CONTEXT 
((SUPPOSE 
(IS S 

(AND-TYPE (FINITE-JOIN-SUBSET-OF B) 

(COMPLEMENTED-SUBSET-OF B)))) 
(PUSH-GOAL (IS S (BOOLEAN-SUBSET-OF B)))) 
(IH-CONTEXT ((LET-BE X (MEMBER-OF S)) 
(LET-BE Y (MEMBER-OF S))) 
(IN-CONTEXT ( (LET-BE CX (COMPLEMENT X B) ) 
(LET -BE CY (COMPLEMENT T B))) 
(NOTE (IS (JOIN CX CY B) (MEMBER-OF S)))) 
(IN-CONTEXT ((LET-BE M (MEET X Y B)) 
(LET-BE J 

(JOIN (COMPLEMENT X B) 

(COMPLEMENT Y B) B))) 
(NOTE-GOAL))))) 



(DEFTYPE (BOOLEAN-SUBALGEBRA-OF (B BOOLEAN-LATTICE)) 
(WRITABLE-AS (RESTRICT-ORDER B S) 
(S (BOOLEAN-SUBSET-OF B)))) 



(LEMMA 

(FORALL ((B BOOLEAN-LATTICE)) 
(IS (U-SET B) 

(BOOLEAN-SUBSET-OF B)))) 



(IH-CONTEXT ((LET-BE B BOOLEAN-LATTICE) 
(LET-BE S (U-SET B)) 
(PUSH-GOAL 

(IS S (BOOLEAN-SUBSET-OF B)))) 
(IN-CONTEXT ((LET-BE X (IN-U-SET B))) 

(IN-CONTEXT ((LET-BE CX (COMPLEMENT IB))) 

(NOTE (IS CX (MEMBER-OF S)))) 
(IN-CONTEXT ((LET-BE Y (IN-U-SET B))) 
(IN-CONTEXT ((LET-BE M (MEET X Y B))) 

(NOTE (IS M (MEMBER-OF S)))) 
(NOTE-GOAL)))) 
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(LEMMA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(IS B2 (LATTICE-SUBALGEBRA-OF Bl)))) 

(LEHHA 
(FORALL 

((Bl BOOLEAN-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(IS (TOP Bl) (IN-U-SET B2)))) 
(LEHHA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(IS (BOTTOM Bl) (IH-U-SET B2)))) 

(LEMMA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(IS (TOP Bl) 

(GREATEST-MEMBER-OF (U-SET B2) 
B2)))) 

(LEMMA 
(FORALL 

((Bl BOOLEAN-LATTICE) 
(B2 (BOOLEAN-SUBALGEBRA-OF Bl))) 
(IS (BOTTOM Bl) 

(LEAST-MEKBER-OF (U-SET B2) B2)))) 

(LEMMA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(= (TOP B2) (TOP Bl)))) 

(LEMMA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl))) 
(= (BOTTOM B2) (BOTTOM Bl)))) 

(LEMMA 
(FORALL 

((Bl BOOLEAH-LATTICE) 
(B2 (BOOLEAN-SUBALGEBRA-OF Bl))) 
(IS B2 COMPLEMEHTED-LATTICE) ) ) 

(LEMMA 
(FORALL 

((Bl BOOLEAN-LATTICE) 
(B2 (BOOLEAH-SUBALGEBRA-OF Bl)) 
(X (IH-U-SET B2))) 
(= (COMPLEMENT X B2) 
(COMPLEMENT X Bl)))) 



(IH-COHTEXT 

((LET-BE Bl BOOLEAH-LATTICE) 
(LET-BE B2 (BOOLEAH-SUBALGEBRA-OF Bl)) 
(WRITE-AS B2 (RESTRICT-ORDER Bl S) 
(S (BOOLEAH-SUBSET-OF Bl)))) 

(BOTE (IS B2 (LATTICE-SUBALGEBRA-OF Bl))) 

(IH-COHTEXT ((LET-BE X (IH-U-SET B2))) 

(IN-COHTEXT ((LET-BE CX (COMPLEMEHT X Bl))) 
;top = (join x ex bl) 
(NOTE (IS (TOP Bl) (IH-U-SET B2))) 
jbottom = (meet x ex bl) 
(HOTE (IS (BOTTOM Bl) (IN-U-SET B2))))) 

(IH-COHTEXT ((LET-BE T (TOP Bl)) 

(LET-BE X (IH-U-SET B2))) 
(HOTE 
(IS T 

(GREATEST-MEMBER-OF (U-SET B2) B2)))) 

(IH-COHTEXT ((LET-BE F (BOTTOM Bl)) 

(LET-BE X (IH-U-SET B2))) 
(NOTE 
(IS F 

(LEAST-MEMBER-OF (U-SET B2) B2)))) 

(IH-COHTEXT ((LET-BE T (TOP Bl))) 
(HOTE (= (TOP B2) (TOP Bl)))) 

(IH-COHTEXT ((LET-BE F (BOTTOM Bl))) 
(HOTE (= (BOTTOM B2) (BOTTOM Bl)))) 

(IN-CONTEXT ((LET-BE X (IH-U-SET B2)) 

(LET-BE CX (COMPLEMEHT X Bl))) 
(HOTE (IS B2 COMPLEMEHTED-LATTICE)) 
(HOTE (= (COMPLEMEHT X B2) 

(COMPLEMEHT X Bl))))) 



334 APPENDIX A. THE STONE REPRESENTATION THEOREM 



f\ 



f*\ 



/**"*\ 



A.9. LATTICE MORPHISMS 335 

A. 9 Lattice Morphisms 



^"N 



A Boolean homomorphisrn is a map between Boolean lattices which com- 
mutes with meet, join, and complementation. By deMorgan's laws it suffices 
that the map commute with meet and completentation or join and comple- 
mentation. The image of a Boolean homorphism is a Boolean subset of the 
range lattice. A Boolean isomorphism is a bijective Boolean homomorphisrn. 

(DEFTYPE LATTICE-HAP 
(LAMBDA ((H MAP)) 

(AHD (IS (DOMAIN H) LATTICE) 

(IS (RAHGE H) LATTICE)))) 

(DEFTYPE MAP-WHICH-RESPECTS-JOIN 
(LAMBDA ((H LATTICE-MAP)) 

(FORALL ((X (IN-MAP-DOMAIN H)) 
(Y (IN-MAP-DOMAIN H))) 
(= (APPLY-MAP H (JOIN X Y (DOMAIH H))) 
(JOIN (APPLY-MAP H X) 
(APPLY-MAP H Y) 
(RANGE H)))))) 

(DEFTYPE MAP-WHICH-RESPECTS-MEET 
(LAMBDA ((H LATTICE-MAP)) 

(FORALL ((X (IN-MAP-DOMAIN H)) 
(Y (IN-MAP-DOMAIN H))) 
(= (APPLY-MAP H (MEET X Y (DOMAIN H))) 
(MEET (APPLY-MAP H X) 
(APPLY-MAP H Y) 
(RANGE H)))))) 

(DEFTYPE BOOLEAN-MAP 

(LAMBDA ((H LATTICE-MAP)) 
(AND (IS (DOMAIN H) 

BOOLEAN-LATTICE) 
(IS (RANGE H) 

BOOLEAN-LATTICE)))) 

(DEFTYPE HAP-WHTCH-RESPECTS-COMPLEHENT 
(LAMBDA ((H BOOLEAN-MAP)) 

(FORALL ((X (IN-MAP-DOMAIN H))) 

(= (APPLY-MAP H (COMPLEMENT X (DOMAIN H))) 
(COMPLEMENT (APPLY-MAP H X) 
(RANGE H)))))) 
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(DEFTYPE BOOLEAH-HOHOHORPHISH 

(AHD-TYPE HAP-WBTCH-RESPECTS-JOIH 
HAP-WHICH-RESPECTS-HEET 
HAP-WHTCH-RESPECTS-CDHPLEMEHT) ) 

(DEFTYPE (BOOLEAH-HOMOHORPHISM-BETWEEH 
CB1 BOOLEAH-LATTICE) 
(B2 BOOLEAN-LATTICE)) 
(LAMBDA ((H (MAP-BETWEEH Bl B2))) 
(IS H BOOLEAH-HOHOHORPHISH))) 

(DEFTYPE BOOLEAH-ISOHORPHISH 
(AND-TYPE BOOLEAH-HOHOHORPHISH 
BIJECTIOH)) 

(DEFTYPE (BOOLEAH-ISOHORPHISH-BETWEEH 
(Bl BOOLEAN-LATTICE) 
(B2 BOOLEAH-LATTICE)) 
(AHD-TYPE (BOOLEAH-HOMOHORPHISH-BETWEEH Bl B2) 
BIJECTIOH)) 

(DEFTYPE (BOOLEAH-LATTICE-ISOMORPHIC-TO 
(Bl BOOLEAH-LATTICE)) 
(LAHBDA ((B2 BOOLEAH-LATTICE)) 
(EXISTS-SOHE 

(B00LEAH-ISOHORPHISH-BETWEEN Bl B2)))) 
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(LEHHA 

(EXISTS-SOHE LATTICE-HAP)) 



(IN-CONTEXT ((LET-BE L LATTICE) 

(LET-BE I (IDEHTITY-MAP L))) 
(HOTE (EXISTS-SOHE LATTICE-HAP) ) ) 



(LEHHA 

(EXISTS-SOHE BOOLEAH-HAP)) 



(IH-COHTEXT ((LET-BE B BOOLEAN-LATTICE) 

(LET-BE I (IDENTITY-HAP B))) 
(HOTE (EXISTS-SOHE BOOLEAH-HAP))) 
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(LEMMA 
(FORALL C(H BOOLEAN-MAP)) 
(=> 
(AND 
(IS H 

MAP-VHICH-RESPECTS-COMPLEMEBT) 
(IS H 

MAP-WHICH-RESPECTS- JOIN) ) 

(IS H MAP-WHICH-RESPECTS-MEET)))) 



(LEMMA 
(FDRALL ((H BOOLEAH-MAP)) 
(=> 
(AND 
(IS H 

MAP-VHICH-RESPECTS-COMPLEHEHT) 
(IS H 

MAP-WHICH-RESPECTS-MEET) ) 

(IS H MAP-WHICH-RESPECTS- JOIH)))) 



(IH-COHTEXT ((LET-BE H BOOLEAH-MAP) 
(LET-BE Bl (DOMAIH H)) 
(LET-BE B2 (RAHGE H))) 

(IH-COHTEXT 
((SUPPOSE 

(IS H MAP-WHICH-RESPECTS-JDIH)) 
(SUPPOSE 

(IS H MAP-WHICH-RESPECTS-COMPLEMEHT) ) 
(PUSH-GOAL 

(IS H MAP-WHICH-RESPECTS-MEET))) 
(IH-COHTEXT ((LET-BE X (IH-U-SET Bl)) 
(LET-BE Y (IH-U-SET Bl))) 
(IH-COHTEXT 

((LET-BE CX (COMPLEMEHT X Bl)) 
(LET-BE CY (COMPLEMEHT Y Bl)) 
(LET-BE J (JOIH CX CY Bl))) 
(BOTE (= (APPLY-MAP H (MEET X Y Bl)) 
(COMPLEMEHT 

(JOIH (COMPLEMEHT 

(APPLY-MAP H X) 
B2) 
(COMPLEMEHT 

(APPLY-MAP H Y) 
B2) 
B2) 
B2)))) 
(IN-COHTEXT ((LET-BE HX (APPLY-MAP H X)) 
(LET -BE HY (APPLY-MAP H Y))) 
(HOTE-GOAL)))) 

(IH-COHTEXT 
((SUPPOSE 

(IS H MAP-WHICH-RESPECTS-MEET)) 
(SUPPOSE 

(IS H MAP-WHICH-RESPECTS-COMPLEMEHT) ) 
(PUSH-GOAL 

(IS H MAP-WHICH-RESPECTS-JOIH))) 
(IH-COHTEXT ((LET-BE X (IH-U-SET Bl)) 
(LET-BE Y (IH-U-SET Bl))) 
(IH-COHTEXT 

((LET-BE CX (COMPLEMEHT X BO) 
(LET-BE CY (COMPLEMEHT Y Bl)) 
(LET-BE M (MEET CX CY Bl))) 
(BOTE (= (APPLY-MAP H (JOIH X Y Bl)) 
(COMPLEMEHT 

(MEET (COMPLEMEHT 

(APPLY-MAP H X) 
B2) 
(COMPLEMEHT 

(APPLY-MAP H Y) 
B2) 
B2) 
B2)))) 
(IN-COHTEXT ((LET-BE HX (APPLY-MAP H X)) 
(LET-BE HY (APPLY-MAP H Y))) 
(HOTE-GOAL))))) 
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(LEMMA 

(FORALL ((B BOOLEAH-LATTICE) ) 
(IS (IDEHTITY-HAP B) 

BOOLEAH-HOMOMORPHISM) ) ) 



(II-COITEXT 

((LET-BE B BOOLEAH-LATTICE) 
(LET-BE I (IDEHTITY-HAP B)) 
(PUSH-GOAL 

(IS I BOOLEAH-HOMOMORPHISM))) 
(IH-COHTEXT ((LET-BE X (IH-U-SET B)) 
(LET-BE Y (IH-U-SET B))) 
(IH-COHTEXT ((LET-BE CX (COMPLEHEHT IB))) 

(BOTE (IS I MAP-WHICH-RESPECTS-COMPLEMEHT))) 
(IH-COHTEXT ((LET-BE J (JOIH X Y B))) 
(BOTE (IS I MAP-WHICH-RESPECTS-JOIH)))) 
(HOTE-GOAL)) 



(LEMMA 

(FORALL ((H BOOLEAH-HOMOMORPHISM)) 
(IS (IMAGE H) 

(BOOLEAH-SUBSET-OF 
(RAHGE H))))) 



f—^ 



(IH-COHTEXT ((LET-BE H BOOLEAH-HOMOMORPHISM) 
(LET-BE Bl (DOMAIH H)) 
(LET-BE B2 (RAHGE H)) 
(LET-BE S (IMAGE H))) 
(IH-COHTEXT 

((PUSH-GOAL 

(IS S (BOOLEAH-SUBSET-OF B2)))) 
(IH-COHTEXT 

(HEMBER-OF S)) 
(MEMBER-OF S)) 
X (APPLY-MAP H PRE-X) 
(IH-U-SET (DOMAIH H)))) 
Y (APPLY-MAP H PRE-Y) 
(IH-U-SET (DOMAIH H))))) 



((LET-BE X 

(LET-BE Y 

(WRITE-AS 

(PRE-X 

(WRITE-AS 

(PRE-Y 

(IH-COBTEXT 

((LET-BE PM 

(MEET PRE-X PRE-Y 
(BOTE 

(IS (MEET X Y B2) 

(MEMBER-OF S)))) 
(IH-COHTEXT 

((LET-BE PC 

(COMPLEMEHT PRE-X 
(BOTE 

(IS (COMPLEHEBT X B2) 
(MEMBER-OF S)))) 
(BOTE-GOAL)))) 



(DOMAIH H)))) 



(DOMAIB H)))) 



(DEFTERH (BOOLEAH- IMAGE (H BOOLEAH-HOMOMORPHISM)) 
(RESTRICT-ORDER (RAHGE H) (IMAGE H))) 



f*S 
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(LEMHA (IH-COHTEXT < (LET-BE H BOOLEAH-HOHOHORPHISH) 

(FORALL ((H B0OLEAH-HOH0M0RPHISH)) (LET-BE B2 (RAHGE H)) 

(IS (BOOLEAH-IHAGE H) (LET-BE S2 (IHAGE H)) 

(BOOLEAH-SUBALGEBRA-OF (LET-BE B3 (BOOLEAH-IHAGE H))) 

(RAHGE H))))) (BOTE (IS B3 (BOOLEAH-SUBALGEBRA-OF B2))) 

(BOTE (IS B3 BOOLEAH-LATTICE)) 

(LEMHA (BOTE (IS B3 (STRUCTURE-COHTAIHIHG (IMAGE H)))) 

(FORALL ((H BOOLEAH-HOHOMORPHISH)) ( „ 0TE (= (0 _ SET fi3) (IHAGE H)))) 

(IS (BOOLEAH-IHAGE H) 

BOOLEAH-LATTICE))) 

(LEHHA 

(FORALL ((H BOOLEAH-HOHOHORPHISH)) 
(IS (BOOLEAH-IHAGE H) 

(STRUCTURE-COHTAIHIHG 
(IHAGE H))))) 

(LEHHA 

(FORALL ((H BOOLEAH-HOHOHORPHISH)) 
(= (U-SET (BOOLEAH-IHAGE H)) 
(IHAGE H)))) 



/**\ 



/**% 
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f~*s 



(LEHHA 
(FORALL 

((H BO0LEAH-H0HOH0RPHISM) 
(X (IH-U-SET (B00LEAB-IHAGE H)))) 
(= (COHPLEHEHT X 

(BOOLEAH-IHAGE H)) 
(COHPLEHEHT X 

(RAHGE H))))) 

(LEHMA 
(FORALL 

((H BOOLEAB-HOHOMORPHISM) 
(X (IH-U-SET 

(BOOLEAB-IHAGE H))) 
(Y (II-U-SET 

(BOOLEAB-IMAGE H)))) 
(= (JOIB X Y 

(BOOLEAH-IMAGE H)) 
(JOIB X Y 

(RABGE H))))) 

(LEMMA 
(FORALL 

((H BOOLEAB-HOHOHORPHISH) 
(X (IH-U-SET 

(BOOLEAH-IMAGE H))) 
(Y (IH-U-SET 

(BOOLEAH-IMAGE H)))) 
(= (MEET X Y 

(BOOLEAH-IMAGE H)) 
(MEET X Y 

(RAHGE H))))) 

(LEMMA 

(FORALL ((H BOOLEAH-HOMOHORPHISM)) 
(IS (SET! -RAHGE H (BOOLEAI-IMAGE H)) 
BOOLEAH-HOMOHORPHISM) ) ) 



(IH-COHTEXT 

((LET-BE H BOOLEAH-HOMOHORPHISM) 
(LET-BE BIMAGE (BOOLEAH-IHAGE H)) 
(LET-BE H2 (SET! -RAHGE H BIHAGE))) 

(IH-COHTEXT ((LET-BE BRAHGE (RAHGE H)) 

(LET -BE X (IH-U-SET BIHAGE)) 
(LET-BE Y (IH-U-SET BIHAGE))) 
(BOTE (= (COMPLEHEHT X BIMAGE) 

(COHPLEHEHT X BRAHGE) ) ) 
(BOTE (= (JOIH X Y BIHAGE) 

(JOIB X Y BRABGE))) 
(BOTE (= (MEET X Y BIMAGE) 

(MEET X Y BRABGE)))) 

(IH-COBTEXT 

((PUSH-GOAL 

(IS H2 BOOLEAH-HOMOHORPHISM)) 
(LET-BE BDOMAIH (DOHAIB H)) 
(LET-BE X (IH-U-SET BDOMAIB)) 
(LET-BE Y (IH-U-SET BDOHAIB) ) 
(LET-BE HX (APPLY-HAP H2 X)) 
(LET-BE HY (APPLY-HAP H2 Y))) 
(IH-COBTEXT 

((LET-BE CX (COHPLEHEHT X BDOHAIB)) 
(LET-BE HCX (APPLY-HAP H2 CX))) 
(BOTE 
(IS H2 

HAP-WHICH-RESPECTS-COHPLEHEBT) ) ) 
(IB-COBTEXT 

((LET-BE HX (MEET X Y BDOHAIB)) 
(LET-BE HHX (APPLY-HAP H2 HX))) 
(BOTE 

(IS H2 HAP-WHICH-RESPECTS-HEET))) 
(HOTE-GOAL))) 
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A.10 Filters and Ultrafilters 



A filter in a bounded lattice L is a subset F of L which satisfies the following 
conditions: 

• F does not contain the least member of L. 

• If x is in F then every member of L greater than x is in F. 

• If x and y are in L then the meet of x and y are in L. 

If a; is a member of a bounded lattice L then the filter generated by x is 
the set of all members of L greater than or equal to x. We show that the 
filter generated by a; is a filter of L. 

An utrafilter is a maximal filter, i.e. an ultrafilter of L is a filter of L 
which is not a proper subset of any other filter of L. We show that the set 
/*"% of all filters of L ordered under inclusion is an inductive order and thus by 

Zorn's lemma every filter is contained in some ultrafilter. We also show that 
if the join of x and y is a member of an ultrafilter F then either x is in F or 
y is in F. This implies that if F is an ultrafilter in a Boolean lattice L and 
x is any member of L, either x or the complement of x is a member of the 
ultrafilter F. 

(DEFTYPE (FILTER-OF (L BOUHDED-LATTICE)) 

(LAMBDA ((S (HOH-EMPTY-SUBSET-OF (U-SET L)))) 
(AHD (HOT (IS (BOTTOM L) (MEMBER-OF S))) 
(FORALL ((X (MEMBER-OF S))) 

(IS-EVERY (GREATER-OR-EQUAL-TO X L) 
(MEMBER-OF S))) 
(FORALL ((X (MEMBER-OF S))) 
(FORALL ((Y (MEMBER-OF S))) 
(IS (MEET X Y L) 

(MEMBER-OF S))))))) 

(DEFTYPE (HOH-BOTT0M-MEMBER-0F (L BOUHDED-LATTICE)) 
(LAMBDA ((X (IH-U-SETL))) 
(HOT (= X (BOTTOM L))))) 

(LEMMA (IH-COHTEXT ((LET-BE L BOUHDED-LATTICE) 

(FORALL ((L BOUHDED-LATTICE)) (LET-BE T (TOP L))) 

(EXISTS-SOME (HOTE 

(HOH-BOTTOH-MEMBER-OF L)))) (EXISTS-SOME 

(HOH-BOTTOM-MEMBER-OF L)))) 
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(DEFTERM (FILTER-GENERATED-BY 

(X (NON-BOTTOH-MEMBER-OF D) 
(L BOUNDED-LATTICE)) 
(THE-SET-DF-ALL 

(GREATER-OR-EQUAL-TO XL))) 



(LEHHA 
(FORALL 

((L BOUNDED-LATTICE) 
(X (NON-BOTTOM-MEMBER-OF L))) 
(IS (FILTER-GENERATED-BY X L) 
(FILTER-OF L)))) 
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(IH-CONTEXT 

((LET-BE L BOUNDED-LATTICE) 
(LET-BE X (NON-BOTTOM-KEHBER-OF D) 
(LET-BE F (FILTER-GENERATED-BY X D) 
(PUSH-GOAL (IS F (FILTER-OF L)))) 

(IS-CONTEXT ((LET-BE S (U-SET D) 

(LET-BE Y (MEMBER-OF F))) 
(NOTE 

(IS F (NON-EMPTY-SUBSET-OF (U-SET L))))) 

(IN-CONTEXT ((LET-BE BOT (BOTTOM L))) 
(NOTE 
(NOT 

(IS (BOTTOM L) (MEMBER-OF F) ) ) ) ) 

(IB-CONTEXT 

((LET-BE Y (MEMBER-OF F)) 
(LET-BE Z (GREATER-OR-EQUAL-TO YD)) 
(NOTE (FORALL ((Y (MEMBER-OF F))) 
(IS-EVERY 

(GREATER-OR-EQUAL-TO Y L) 
(MEMBER-OF F))))) 

(IH-COBTEXT ((LET-BE Y (MEMBER-OF F)) 
(LET-BE Z (MEMBER-OF F)) 
(LET-BE M (MEET X Y L) ) ) 
(NOTE (FORALL ((Y (MEMBER-OF F)) 
(Z (MEMBER-OF F))) 
(IS (MEET Y Z L) 

(MEMBER-OF F))))) 

(NOTE -GOAL)) 



(LEMMA 

(FORALL ((L BOUBDED-LATTICE) 
(F (FILTER-OF L))) 
(IS (TOP L) 

(MEMBER-OF F)))) 



(IB-COBTEXT 

((LET-BE L BOUNDED-LATTICE) 
(LET-BE F (FILTER-OF D) 
(PUSH-GOAL 

(IS (TOP L) (MEMBER-OF F)))) 

(IB-CONTEXT ((LET-BE X (MEMBER-OF F)) 
(LET-BE T (TOP L))) 

(NOTE-GOAL))) 



(LEMMA 

(FORALL ((B BOOLEAN-LATTICE) 
(F (FILTER-OF B)) 
(X (MEMBER-OF F))) 
(NOT (IS (COMPLEMENT X B) 
(MEMBER-OF F) ) ) ) ) 



(IN-CONTEXT ((LET-BE B BOOLEAN-LATTICE) 
(LET-BE F (FILTER-OF B)) 
(LET-BE X (MEMBER-OF F)) 
(LET-BE CX (COMPLEMENT IB))) 
(BOTE (NOT (IS CX (MEMBER-OF B) ))) ) 
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(DEFTYPE (ULTRAFILTER-OF (L BOUHDED-LATTICE)) 
(MAXIMAL-ELEMEHT-OF 
(IHCLUSIOH-ORDER 

(THE-SET-OF-ALL (FILTER-OF L))))) 

CLEHHA (IH-COHTEXT ((LET-BE L BOUHDED-LATTICE) 

(FORALL ((L BOUHDED-LATTICE) (PUSH-GOAL 

(F (ULTRAFILTER-OF L) ) ) (IS-EVERY (ULTRAFILTER-OF D 

(IS F (FILTER-OF L)))) (FILTER-OF D))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (ULTRAFILTER-OF L))) 
(LET-BE F (ULTRAFILTER-OF D) 
(LET-BE FILTER-SET 

(THE-SET-OF-ALL (FILTER-OF L))) 
(LET-BE FILTER-POSET 

(IHCLUSIOH-ORDER FILTER-SET))) 
(HOTE-GOAD) 
(HOTE-GOAD) 

(LEMMA (IH-COHTEXT 

(FORALL ((L BOUHDED-LATTICE) ((LET-BE L BOUHDED-LATTICE) 

(F (ULTRAFILTER-OF L))) (PUSH-GOAL 

(MOT (FORALL ((F (ULTRAFILTER-OF L))) 

(EXISTS-SOME (HOT 

f~\ (AHD-TYPE (EXISTS-SOME 

(FILTER-OF L) (AHD-TYPE 

(PROPER-SUPERSET-OF F)))))) (FILTER-OF L) 

(PROPER-SUPERSET-OF F))))))) 

(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME (ULTRAFILTER-OF L))) 
(LET-BE F (ULTRAFILTER-OF L) ) ) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 
(AHD-TYPE 

(FILTER-OF L) 
(PROPER-SUPERSET-OF F)))) 
(LET-BE F2 

(AHD-TYPE (FILTER-OF L) 

(PROPER-SUPERSET-OF F))) 
(LET-BE FILTER-SET 

(THE-SET-OF-ALL (FILTER-OF L))) 
(LET-BE FILTER-POSET 

(IHCLUSIOH-ORDER FILTER-SET))) 
(HOTE-COHTRADICTIOH) ) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
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(LEHHA (II-COBTEXT 

(FORALL ((L BOUHDED-LATTICE)) ((LET-BE L BOUIDED-LATTICE) 

(IS (THE-SET-OF-ALL (FILTER-OF D) (LET-BE F 

FAHILY-OF-SETS))) (THE-SET-OF-ALL (FILTER-OF L))) 

(LET-BE S (HEHBER-OF F))) 
(BOTE (IS F FAHILY-OF-SETS))) 
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We now come to the proof that every filter is contained in some ultrafilter. 
The following natural argument is taken from [Bell & Machover 77] page 136. 



Let F be the set of all filters in a Boolean algebra B; F can be 
partially ordered by inclusion. We will show that, with respect 
to this ordering, chains in F have upper bounds in F. 

Let T be a chain in F, and let C = Ul\ If x,y G C, then 
for some D,E eT, x £ D and y 6 E. Since T is a chain, either 
D C E or E C D; suppose the latter case obtains. Then x,y 6 D 
and because D is a filter we have x Ay € D C C. H z £ D and 
x < z then ipso facto z e D C C. Since g D for all D e T, 
it follows that £ C. Therefore C is a filter and is the required 
upper bound for T in F. 

We may accordingly invoke Zorn's Lemma to conclude that, 
for every filter D in B, F contains a maximal member, i.e. an 
ultrafilter, which includes D. 



A comparison of the above English proof with the Ontic proof given below 
yields a predicater count loss factor of 1.3 and a word count loss factor of 
1.2. 
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(LEMMA (IH-COHTEXT 

(FORALL C(L BOUHDED-LATTICE)) ((LET-BE L BOUHDED-LATTICE) 

(IS (IHCLUSIOH-ORDER (LET-BE FILTER-FAMILY 

(THE-SET-OF-ALL (THE-SET-OF-ALL (FILTER-OF L) ) ) 

(FILTER-OF L))) (LET-BE FILTER-POSET 

IHDUCTIVE-ORDER))) (IHCLUSIOH-ORDER FILTER-FAMILY)) 

(PUSH-GOAL (IS FILTER-POSET IHDUCTIVE-ORDER))) 

(IH-COHTEXT ((LET-BE C (CHAIH-IH FILTER-POSET))) 

(IH-COHTEXT ((LET-BE S (MEMBER-OF C))) 
(BOTE (IS C FAHILY-OF-SETS) ) ) 

(IH-COHTEXT 

((PUSH-GOAL 

(EXISTS-SOME 

(UPPER-BOUHD-OF C FILTER-POSET))) 
(LET-BE UC (FAMILY-UHIOH C))) 

(IH-COHTEXT 

((PUSH-GOAL (IS UC (FILTER-OF L)))) 

(IH-COHTEXT ((LET-BE USET (U-SET D) 

(LET-BE S (MEMBER-OF C))) 
(HOTE 

(IS UC (HOH-EMPTY-SUBSET-OF USET)))) 

(IH-COHTEXT 
/""^ ((LET-BE BOT (BOTTOM D) 

(SUPPOSE (IS BOT (MEMBER-OF UC))) 
(HRITE-AS BOT (MEMBER-OF S) 
(S (MEMBER-OF «))) 
(SOTE-COHTRADICTIOH)) 

(IH-COHTEXT 

( (PUSH-GOAL 

(FORALL ((X (MEMBER-OF UC))) 
(IS-EVERY 

(GREATER-OR-EQUAL-TO X L) 
(MEMBER-OF UC)))) 
(LET-BE X (MEMBER-OF UC)) 
(LET-BE Y (GREATER-OR-EQUAL-TO XL))) 
(IH-COHTEXT ((WRITE-AS X (MEMBER-OF S) 
(S (MEMBER-OF «))) 
(HOTE-GOAL))) 

; continued on next page 
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; continued from previous page 
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(IH-COHTEXT 

((PUSH-GOAL 

(FORALL ((X (HEHBER-OF UC)) 
(Y (HEHBER-OF UC))) 
(IS (HEET IYL) (HEHBER-OF UC)))) 
(LET-BE X (MEMBER-OF UC)) 
(LET-BE Y (HEHBER-OF UC) ) 
(LET-BE H (HEET X Y L))) 
(IH-COHTEXT 

((PUSH-GOAL (IS H (HEHBER-OF UC))) 
(WRITE-AS X (HEHBER-OF SI) 

(SI (HEHBER-OF C))) 
(WRITE-AS Y (HEHBER-OF S2) 
(S2 (HEHBER-OF «))) 
(IH-COHTEXT 

((SUPPOSE (IS SI (SUBSET-OF S2)))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 
(HOTE-GOAL)) 

(HOTE-GOAD) 

(IH-COHTEXT ((LET-BE S (HEHBER-OF C))) 
(BOTE 
(IS UC 

(UPPER-BOUIID-OF C FILTER-POSET)))) 
(HOTE-GOAL)) 

(HOTE-GOAL))) 



(LEMMA 

(FORALL ((L BOUHDED-LATTICE) 
(F (FILTER-OF L))) 
(EXISTS-SOHE 
(AHD-TYPE 

(ULTRAFILTER-OF L) 
(SUPERSET-OF F))))) 



(IH-COHTEXT 

((LET-BE L BOUHDED-LATTICE) 
(LET-BE F (FILTER-OF D) 
(PUSH-GOAL 
(EXISTS-SOHE 

(AHD-TYPE (ULTRAFILTER-OF L) 
(SUPERSET-OF F))))) 
(IH-COHTEXT 

((LET-BE FILTER-SET 

(THE-SET-OF-ALL (FILTER-OF L))) 
(LET-BE FILTER-POSET 

(IHCLUSIOH-ORDER FILTER-SET)) 
(LET-BE F2 
(AHD-TYPE 

(MAXIHAL-ELEHEHT-OF FILTER-POSET) 
(GREATER-OR-EQUAL-TO F FILTER-POSET)))) 
(HOTE-GOAL))) 



(DEFTYPE (ULTRAFILTER-COHTAIHIHG 
(X (IH-U-SET D) 
(L BOUHDED-LATTICE)) 
(LAMBDA ((F (ULTRAFILTER-OF L))) 
(IS X (HEHBER-OF F)))) 



f\ 
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(LEHHA 
(FORALL 

((L BOUHDED-LATTICE) 
(X (HOH-B0TT0H-HEHBER-OF L) ) ) 
(EXISTS-SOHE 

(ULTRAFILTER-COHTAIHIHG X L)))) 



(IH-COHTEXT 

((LET-BE L BOUHDED-LATTICE) 
(LET-BE X (HOH-BOTTOH-HEHBER-OF L)) 
(PUSH-GOAL 
(EXISTS-SOHE 

(ULTRAFILTER-COHTAIHIHG X L)))) 
(IH-COHTEXT 

( (LET-BE Gl (FILTER-GEHERATED-BY X L) ) 
(LET-BE G2 (AHD-TYPE (ULTRAFILTER-OF L) 
(SUPERSET-OF Gl)))) 
(HOTE-GOAL))) 



(LEHHA 
(FORALL ((B BOOLEAH-LATTICE) 
(X (IH-U-SET B)) 
(Y (IH-U-SET B))) 
(=> 

(HOT (IS X (LESS-OR-EQUAL-TO Y B))) 
(EXISTS-SOHE 

((F (ULTRAFILTER-COHTAIHIHG X 

B))) 
(HOT (IS Y (HEHBER-OF F) )))))) 



! n> fm \ / 



(IH-COHTEXT 

((LET-BE B BOOLEAH-LATTICE) 
(LET-BE X (IH-U-SET B)) 
(LET-BE Y (IH-U-SET B)) 
(SUPPOSE 

(HOT (IS X (LESS-OR-EQUAL-TO Y B)))) 
(PUSH-GOAL 
(EXISTS ((F (ULTRAFILTER-COHTAIHIHG IB))) 
(HOT (IS Y (HEHBER-OF F)))))) 
(IH-COHTEXT 

( (LET-BE CY (COHPLEHEHT Y B) ) 
(LET-BE H (HEET X CY B)) 
(LET-BE F (ULTRAFILTER-COHTAIHIHG H B))) 
(HOTE-GOAL))) 
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We now come to the proof that if F is an ultrafilter and if x\/y € F then x G F 
or y € F. The following natural argument is taken from [Bell & Machover 77] 
top of page 136, case (iii)=^(iv). 



Suppose F is an ultrafilter of a bounded distributive lattice L 
and that x V y £ F. To show that x E F ov y E F suppose that 
x & 1 F. It is easy to see that {z : x V z € F} is a filter which 
includes F, and so, since F is an ultrafilter, F — G. But since 
s V j/ € F it follows that y E G and hence y E F. 



A comparison of the above natural argument with the Ontic proof yields a 
predicate count loss factor of 2.1 and a word count loss factor of 2.7. 
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EMMA 


(IB- 


-CONTEXT 


(FORALL 




((LET-BE L 


((L (AHD-TYPE 






DISTRIBUTIVE-LATTICE 






BOUNDED-LATTICE)) 




(LET-BE F 


(F (ULTRAFILTER-OF D) 




(LET-BE X 


(X (IH-U-SET D) 




(LET-BE Y 


(Y (IH-U-SET L))) 




(SUPPOSE 
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(ABD-TYPE 

DISTRIBUTIVE-LATTICE 
BOUNDED-LATTICE)) 
(ULTRAFILTER-OF D) 
(IB-U-SET D) 
(IH-U-SET D) 
[IS (JOIH X Y L) 
(=> (IS (JOIH X Y L) (MEHBER-OF F))) 

(MEHBER-OF F)) (PUSH-GOAL (OR (IS X (MEHBER-OF F)) 

(OR (IS X (MEMBER-OF F)) (IS Y (HEMBER-OF F))))) 

(IS Y (HEHBER-OF F)))))) 

(IH-COHTEXT 

((SUPPOSE (NOT (IS X (MEMBER-OF F)))) 
(PUSH-GOAL (IS Y (MEMBER-OF F)))) 

(IN-COHTEXT 

((LET-BE G 

(THE-SET-OF-ALL (Z (IH-U-SET D) 
(IS (JOIH X Z L) (MEMBER-OF F))))) 
; clearly y is in g 
(IH-CONTEXT ((PUSH-GOAL (= F G))) 
;this Hill complete the proof that 
;y is in f 

(IH-COHTEXT 

((PUSH-GOAL (IS G (SUPERSET-OF F))) 
jmm. (LET-BE Z (MEHBER-OF F)) 

(LET-BE J (JOIH X Z L))) 
(NOTE-GOAL)) 

(IB-COHTEXT 

((PUSH-GOAL (IS G (FILTER-OF L)))) 
; since f is a maximal filter this 
; completes the proof 
(IB-COHTEXT 

((PUSH-GOAL 
(IS G 

(NON-EMPTY-SUBSET-OF 
(U-SET L)))) 
(LET-BE S (U-SET D) 
(LET-BE Z (HEMBER-OF G))) 
(NOTE-GOAL)) 

(IH-COHTEXT ((LET-BE BOT (BOTTOM L))) 
(BOTE 

(HOT (IS (BOTTOM L) 

(MEMBER-OF G))))) 



continued on next page 
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(IH-COHTEXT 

((PUSH-GOAL 
(FORALL 
((Zl 
(Z2 



(HEHBER-OF G)) 
(GREATER-OR-EqUAL-TO Zl 

L))) 
(HEHBER-OF G)))) 
(HEHBER-OF G)) 



(IS Z2 
(LET-BE Zl 
(LET-BE Z2 

(GREATER-OR-EQUAL-TO Zl D) 
(LET-BE Jl (JOIH X Zl L)) 
(LET-BE J2 (JOIH X Z2 L))) 
;j2 is greater or equal to jl 
(HOTE-GOAL)) 

(IH-COHTEXT 

( (PUSH-GOAL 

(FORALL ((Zl (HEHBER-OF G)) 
(Z2 (HEHBER-OF G))) 
(IS (HEET Zl Z2 L) 
(HEHBER-OF G)))) 
(LET-BE Zl (HEHBER-OF G)) 
(LET-BE Z2 (HEHBER-OF G))) 
(IH-COHTEXT 

((LET-BE Jl (JOIH X Zl D) 
(LET-BE J2 (JOIH X Z2 L))) 
(BOTE (IS (JOIH X (HEET Zl Z2 L) L) 
(HEHBER-OF F)))) 
(IH-COHTEXT 

((LET-BE H (MEET Zl Z2 L))) 
(HOTE-GOAL))) 



(HOTE-GOAL)) 
(HOTE-GOAL)) 
(HOTE-GOAL))) 
(HOTE-GOAL)) 



(LEHHA 

(FORALL ((B BOOLEAH-LATTICE) 

(F (ULTRAFILTER-OF B)) 
(X (IH-U-SET B))) 
(OR (IS X (HEHBER-OF F)) 
(IS (COHPLEHEHT X B) 
(HEHBER-OF F))))) 



(IH-COHTEXT ((LET -BE B BOOLEAH-LATTICE) 

(LET-BE F (ULTRAFILTER-OF B)) 
(LET-BE X (IH-U-SET B)) 
(LET-BE CX (COHPLEHEHT IB))) 
(HOTE (OR (IS X (HEHBER-OF F)) 

(IS CX (HEMBER-OF F))))) 
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A. 11 The Stone Representation Theorem 

Finally we come to the Stone representation theorem for Boolean algebras. 
The following natural definitions and natural arguments are taken from [Bell 
& Machover 77] pages 141 and 142. 

Let us define a field of sets to be a subalgebra of a power set 
algebra. In particular, a field of subsets of a set X is a subalgebra 
of the power set of X. 

If B is a Boolean algebra, we denote by SB the set of all ultrafil- 
ters in B. 

Theorem. Each Boolean algebra is isomorphic to a field of subsets 
of SB. 

Proof. Let B be a Boolean algebra. Define a mapping u : B — > 
PSB by putting: 

u(x) = {F eSB :xeF} 

for each x G B. Thus u(x) is the set of all ultrafilters containing 
x. 

We claim that u is a homomorphism of B into PSB. For 
suppose that x,y € B\ then, if F € SB, we have 

F<Eu(xAy)&xAyeF<&xe Fky € F <S> F <E u(x) n u(y) 

Hence u(x Ay) = u(x) D u(y). Also, we have 

F £ u(x*) & x* e F & x # F(by Thm. 3.5(iv)) <^> F e SB-u(x) 

Accordingly u(x*) - SB - u(x), so that, by Prob 3.3, u is a 
homomorphism. 

We also note that u is one-one, for if x ^ y then by Cor. 
3.9 there is an ultrafilter F containing x, say, but not y. Then 
F e u(x) and F g u{y), so that u(x) ^ u(y). 

We have therefore shown that u is an isomorphism of B onto 
the subalgebra u[B] of PSB, which proves the theorem. 
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A comparison of the above natural definitions and arguments with the re- 
mainder of this section yields a predicate count loss factor of 2.0 and a word 
count loss factor of 1.7. 



(DEFTYPE FIELD- OF-SETS 

(WRITABLE-AS (BOOLEAH-SUBALGEBRA-OF 
(POWER-SET-LATTICE S)) 
(S SET))) 



(LEMMA 

(EXISTS-SOHE FIELD-OF-SETS)) 



(IH-COHTEXT ((LET-BE S SET) 

(LET-BE P (POWER-SET-LATTICE S))) 
(BOTE (EXISTS-SOHE FIELD-OF-SETS))) 



(LEMMA 

(FORALL ((B FIELD-OF-SETS)) 
(IS B BOOLEAH-LATTICE))) 



(IH-COHTEXT 

((LET-BE B FIELD-OF-SETS) 
(WRITE-AS B (BOOLEAH-SUBALGEBRA-OF 

(POWER-SET-LATTICE S)) 
(S SET)) 
(LET-BE B2 (POWER-SET-LATTICE S))) 
(BOTE (IS B BOOLEAH-LATTICE))) 
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(DEFTERH (ALL-STOHE-KODELS (B BOOLEAH-LATTICE)) 
(THE-SET-OF-ALL (ULTRAFILTER-OF B))) 

(DEFTERH (THE-STOHE-HODELS-OF 
(X (IH-U-SET B)) 
(B BOOLEAH-LATTICE)) 
(THE-SET-OF-ALL 

(ULTRAFILTER-COHTAIHIHG X B) ) ) 



(LEMMA 
(FORALL ((B BOOLEAH-LATTICE) 
(X (IH-U-SET B))) 
(IS (THE-STOHE-HODELS-OF X B) 
(SUBSET-OF 

(ALL-STOHE-MODELS B) ) ) ) ) 



(IH-COHTEXT 

((LET-BE B BOOLEAH-LATTICE) 
(LET-BE S (ALL-STOHE-MODELS B)) 
(LET-BE X (IH-U-SET B)) 
(LET-BE SX (THE-STOHE-HODELS-OF X B)) 
(PUSH-GOAL (IS SX (SUBSET-OF S)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE (HEHBER-OF SX))) 
(LET-BE F (MEHBER-OF SX))) 
(H0TE-G0AD) 
(HOTE-GOAL)) 



(DEFTERH (STOHE-HAP (B BOOLEAH-LATTICE)) 
(MAKE-HAP 
B 
(POWER-SET-LATTICE 

(ALL-STOHE-MODELS B)) 
(THE-RULE ((X (IH-U-SET B))) 
(THE-STOHE-HODELS-OF X B)))) 
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(LEMMA 

(FORALL ((B BOOLEAH-LATTICE)) 
(IS (POWER-SET-LATTICE 

(ALL-STOHE-MODELS B)) 
POWER-LATTICE))) 

(LEMMA 

(FORALL ((B BOOLEAH-LATTICE)) 
(= (U-SET (POWER- SET-LATTICE 

(ALL-STOHE-MODELS B))) 
(POWER-SET 

(ALL-STOHE-HODELS B) ) ) ) ) 

(LEMMA 
(FORALL 

((B BOOLEAH-LATTICE) 
(S2 (SUBSET-OF 

(ALL-STOHE-MODELS B)))) 
(IS S2 

(MEMBER-OF 
(U-SET 

(POWER-SET-LATTICE 

(ALL-STOHE-HODELS B) )))))) 



(IH-COHTEXT ((LET-BE B BOOLEAH-LATTICE) 

(LET-BE S (ALL-STOHE-MODELS B))) 
(HOTE (IS (POWER-SET-LATTICE S) POWER-LATTICE)) 
(IH-COHTEXT ((LET-BE PS (POWER-SET S))) 

(HOTE (= (U-SET (POWER-SET-LATTICE S)) PS)) 
(HOTE 

(IS-EVERY 

(SUBSET-OF S) 
(MEMBER-OF 
(U-SET 

(POWER-SET-LATTICE S))))))) 
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(LEKHA (IH-COHTEXT 

(FORALL ((B BOOLEAH-LATTICE)) ((LET-BE B BOOLEAH-LATTICE) 

(IS (THE-RULE ((X (IH-U-SET B))) (LET-BE SB 

(THE-STODE-HODELS-OF IB)) (POWER-SET-LATTICE (ALL-STOHE-HODELS B))) 

(RULE-BETWEEH (LET-BE H (STOHE-HAP B)) 

(U-SET B) (LET-BE R (THE-RULE ((X (IH-U-SET B))) 

(U-SET (THE-STOHE-MODELS-OF IB))) 

(POWER-SET-LATTICE (LET-BE X (IB-U-SET B))) 

(ALL-STOHE-HODELS B))))))) (IH-COHTEXT ((LET-BE HX (APPLY-RULE R X)) 

(LET-BE USET1 (U-SET B)) 

(LEKHA (LET-BE USET2 (U-SET SB))) 

(FORALL ((B BOOLEAH-LATTICE)) ( „ 0TE (ls R ( RULE - BETWE EH USET1 USET2)))) 

(IS (STONE-HAP B) ( „ 0TE (IS H ( HA p- BETHEEll j B SB ))) 

(HAP-BETWEEH (H(JTE (ig fl B00LEAI _ MA p)) 

B (BOTE (= (DOHAIH H) B)) 

(POWER-SET-LATTICE ( „ 0TE (= (RABGE H) SB)) 

(ALL-STOHE-HODELS B)))))) (HQTE (= (APPLY . MA p H x) 

( LEKHA (THE-STOHE-HODELS-OF X B)))) 
(FORALL ((B BOOLEAH-LATTICE)) 

(IS (STOHE-HAP B) BOOLEAH-HAP))) 

(LEHHA 

(FORALL ((B BOOLEAH-LATTICE)) 
(= (DOHAIH (STOHE-HAP B)) 
B))) 



(LEHMA 
^"\ (FORALL ((B BOOLEAH-LATTICE)) 

(= (RAHGE (STOHE-HAP B)) 
(POWER- SET-LATTICE 

(ALL-STOHE-HODELS B))))) 

(LEHHA 

(FORALL ((B BOOLEAH-LATTICE) 
(X (IH-U-SET B))) 
(= (APPLY-HAP (STOHE-HAP B) X) 
(THE-STOHE-HODELS-OF X B)))) 
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(LEHHA (IH-COHTEXT 

(FORALL ((B BOOLEAH-LATTICE)) ((LET-BE B BOOLEAH-LATTICE) 

(IS (STONE-HAP B) (LET-BE H (STOHE-HAP B)) 

B0OLEAH-HOMOH0RPHISH))) (LET-BE SB 

(POWER-SET-LATTICE 

(ALL-STOHE-HODELS B))) 
(PUSH-GOAL 

(IS H B00LEAH-H0H0H0RPHISH))) 

(IH-COHTEXT 

((PUSH-GOAL 

(IS H HAP-WHICH-RESPECTS-HEET)) 
(LET-BE X (IH-U-SET B)) 
(LET-BE Y (IH-U-SET B)) 
(LET-BE X-MODELS (APPLY-HAP H X)) 
(LET-BE Y-HODELS (APPLY-HAP H Y)) 
(LET -BE H (HEET X Y B) ) 
(LET-BE H-MODELS (APPLY-HAP H H) ) 
(LET-BE HODEL-IHTERSECTIOH 

(IHTERSECTIOH X-HODELS Y-HODELS))) 

(IH-COHTEXT 

( (PUSH-GOAL 

(= H-HODELS HODEL-IHTERSECTIOH))) 

(IH-COHTEXT 

((PUSH-GOAL 

(IS HODEL-IHTERSECTIOH 
(SUBSET-OF H-HODELS)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(HEHBER-OF HODEL-IHTERSECTIOH))) 
(LET-BE F 

(MEHBER-OF HODEL-IHTERSECTIOH))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 

(IH-COHTEXT 

((PUSH-GOAL 

(IS H-HODELS 

(SUBSET-OF HODEL-IHTERSECTIOH)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(HEHBER-OF H-HODELS))) 
(LET-BE F (HEHBER-OF H-HODELS))) 
(HOTE-GOAL)) 
(HOTE-GOAD) 

(HOTE-GOAL)) 
(HOTE-GOAD) 



continued on next page 
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; continued from previous page 



f^S, 



(IN-CONTEXT 

((PUSH-GOAL 

(IS H HAP-WHICH-RESPECTS-COHPLEMENT) ) 
(LET- BE X (IJJ-U-SET B)) 
(LET-BE HX (APPLY-MAP H X)) 
(LET-BE C (COHPLEHEHT-OF X B) ) 
(LET-BE C-HODELS (APPLY-MAP H «) 
(LET-BE ALL-MODELS (ALL-STONE-HODELS B)) 
(LET-BE MODEL-COMPLEHEHT 

(SET-DIFFERENCE ALL-MODELS HX))) 

(IN-CONTEXT 

((PUSH-GOAL (= C-MODELS MODEL-COMPLEMEBT))) 

(IH-COHTEXT 

((PUSH-GOAL 

(IS MODEL-COMPLEMEHT 

(SUBSET-OF C-MODELS)))) 
(IH-COHTEXT 
((SUPPOSE 

(EXISTS-SOME 

(MEMBER-OF MODEL-COMPLEMEHT) ) ) 
(LET-BE F 

(MEMBER-OF MODEL-COMPLEMENT))) 
(HOTE-GOAD) 
(NOTE-GOAD) 

(IN-CONTEXT 

((PUSH-GOAL 

(IS C-MODELS 

(SUBSET-OF MODEL-COMPLEMENT)))) 
(IN-CONTEXT 
((SUPPOSE 

(EXISTS-SOME 

(MEMBER-OF C-MODELS))) 
(LET-BE F (MEMBER-OF C-MODELS))) 
(HOTE-GOAD) 
(NOTE-GOAD) 

(NOTE-GOAD) 
(NOTE-GOAD) 

(NOTE-GOAD) 
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(LEMMA (IB-COHTEXT ((LET-BE B BOOLEAH-LATTICE) 

(FORALL ((B BOOLEAB-LATTICE)) (LET-BE H (STOBE-MAP B)) 

(IS (STOHE-MAP B) IHJECTIOB))) (PUSH-GOAL (IS H IHJECTIOH)) ) 

(IH-COHTEXT 

((LET-BE MSET (MEMBER-OF (IMAGE H))) 
(LET-BE PRE-MSET 

(PREIKAGE H (MAKE-SET MSET)))) 
(IH-COHTEXT 

((PUSH-GOAL 

(EXACTLY-OHE (MEMBER-OF PRE-MSET))) 
(LET-BE X (MEMBER-OF PRE-MSET)) 
(LET-BE Y (MEMBER-OF PRE-MSET) ) ) 
(IH-COHTEXT 

( (PUSH-GOAL 

(IS X (LESS-OR-EQUAL-TO Y B)))) 
(IH-COHTEXT 
((SUPPOSE 

(HOT (IS X (LESS-OR-EQUAL-TO Y B)))) 
(LET-BE F (ULTRAFILTER-COHTAIHIHG X B) 
(HOT (IS Y (MEMBER-OF F))))) 
(HOTE-COHTRADICTIOH)) 
(HOTE+GEHERALIZE-GOAL) ) 
(HOTE-GOAD) 
(HOTE-GOAL))) 

(LEMMA (IH-COHTEXT ((LET-BE B BOOLEAH-LATTICE) 

f"*S (FORALL ((B BOOLEAH-LATTICE)) (LET-BE H (STOHE-MAP B)) 

(IS (BOOLEAH-IMAGE (STOHE-MAP B)) (LET-BE B2 (BOOLEAH-IMAGE H))) 

FIELD-OF-SETS))) (IH-COHTEXT ((LET-BE S (ALL-STOHE-MODELS B))) 



(BOTE (IS B2 FIELD-OF-SETS))) 
(IH-COHTEXT ((LET-BE H2 (SET!-RAHGE H B2))) 
(BOTE 
(IS H2 

,„ nnTT ..„ ,.„.„,, ,„„„„,, „,, xxx (BOOLEAH-ISOMORPHISM-BETWEEB B B2))) 
(BOOLEAB-IMAGE (STOHE-HAP B))) (BOTE 



(LEMMA 

(FORALL ((B BOOLEAH-LATTICE)) 
(IS (SET!-RAHGE 

(STOHE-HAP B) 



(BOOLEAB-IS0M0RPHISM-BETWEEH (EXISTS-SOME 

, (AHD-TYPE 

(BOOLEAH-IMAGE FIELD-OF-SETS 

(STOHE-MAP B) ) ) ) ) ) (BOOLEAB-LATTICE-ISOMORPHIC-TO B) ) ) ) ) ) 

(LEMMA 
(FORALL ((B BOOLEAH-LATTICE)) 
(EXISTS-SOME 
(AHD-TYPE 
FIELD-OF-SETS 

(BOOLEAB-LATTICE-ISOMORPHIC-TO 
B))))) 
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